Declassified Opinion On Bulk Email Collection Details More Abuse By The NSA

from the and-yet-the-program-received-a-green-light dept

As more NSA-related documents are forced out into the public eye, the narrative contained within the court opinions is at odds with the NSA’s continuous declarations that utmost care has been taken to prevent violating the privacy of Americans.

A previous release detailed how FISC Judge Reggie Walton nearly shuttered the Section 215 program in 2009 due to widespread abuse by NSA analysts. The evidence uncovered by internal audits and the agency’s own admissions led Walton to issue this damning statement:

The minimization procedures… have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively.

The NSA’s bulk internet metadata program (Stellar Wind) was also suspended for several months due to numerous violations. Judge John Bates, taking over for Kollar-Kotelly (who issued the opinion granting the NSA permission to collect internet metadata on Americans by using a very generous reading of the pen register statute), makes it clear he’s wholly unimpressed with the agency’s trustworthiness.

Although the specific terms of authorization under those orders varied over time, there were important constants. Notably, each order limited the authorized acquisition to [redacted] categories of metadata. As detailed herein, the government acknowledges that NSA exceeded the scope of authorized acquisition continuously during the more than [redacted] years of acquisition under these orders.

Although all dates are redacted, the opinion does cite Judge Walton’s 2009 findings (in reference to the Section 215 program). The authorization of the email metadata collection seems to have been granted in 2005 (at least in terms of targeting Americans), suggesting that we’re looking at close to another half-decade of abuse by the agency in this program — abuse that saw this program temporarily suspended as well.

Despite these almost-concurrent (and lengthy) episodes of abuse, the government not only sought reinstatement of the program, but also an expansion.

The current application relies on this prior framework, but also seeks to expand authorization in ways that test the limits of what the applicable FISA provisions will bear. It also raises issues that are closely related to serious compliance problems that have characterized the government’s implementation of prior FISC orders.

The court points out in a footnote that the oversight it’s supposed to provide (and that its defenders constantly point to) is severely hampered by the government itself.

The government argued that “FISA prohibits the Court from engaging in any substantive review of this certification,” and that “the Court’s exclusive function” was “to verify that it contains the words required” by the statute.

The court wasn’t impressed by this argument (but ultimately decided in favor of the government anyway) but it’s telling that the government would choose to read the Act as supportive of thwarting oversight.

Even when the government itself is presenting its case, it still can’t find a way to make the violations appear minimal.

As described by the government, the unauthorized collection resulted from failures to [redacted] in the manner required… By the government’s account, the lack of required [redacted] did not result from technical difficulty or malfunction, but rather from a failure of “those NSA officials who understood in detail the requirements of the [redacted] Opinion… to communicate those requirements effectively…”

The government assessed the violations to have been caused by “poor management, lack of involvement by compliance officials, and lack of internal verification procedures — not by bad faith.”

The scenario painted by the government is one of minimal care being taken with the dragnet’s data collection. It appears no one can be bothered to do the job right, even when entrusted with data of millions of Americans. This would be one thing if the agency was tiny and not tasked with national security. It’s quite another when the agency declares that national security trumps privacy concerns and then half-asses its way through each workday. You don’t need “bad faith” when you’ve got lousy management and zero interest in fixing the problem.

The court also notes that the surveillance programs (both the phone and internet metadata) were prone to overcollection. A few heavily-redacted paragraphs leaves just enough substance to indicate the size of the problem.

Notwithstanding this and many similar prior representations, there in fact had been systemic overcollection since [redacted]…

The government later advised that this continuous overcollection acquired metadata obtained at many other types of data” and that “[v]irtually every record” generated by this program included some data that had not been authorized for collection

The government has provided no comprehensive explanation of how so substantial an overcollection occurred, only the conclusion [lengthy redaction]… The government has said nothing about how the systemic overcollection was permitted to continue [lengthy redaction].

However, given the duration of this problem, the oversight measures ostensibly taken since-to detect overcollection, and the extraordinary fact that NSA’s end-to-end review overlooked unauthorized acquisitions that were documented in virtually every record of what was acquired, it must be added that those responsible for conducting oversight at NSA failed to do so effectively.

The conclusions are ugly but are ultimately of little consequence. The program was reinstated. There’s a long discussion about the terminology being used in these court orders (along with some talk about whether a URL is “content” or “data,” p. 32-33) and several fully-redacted pages presumably detailing the metadata the NSA is authorized to collect (p. 35-52). The government’s discussion on what is or isn’t content (according to the NSA dictionary) contains another long stretch of uninformative blackness that spans from page 57 to page 70.

When we finally arrive at the government’s request to expand the authorization of its highly-modified “pen register,” we get some indication of exactly how much more metadata the agency was looking to grab.

The current application, in comparison with prior dockets, seeks authority to acquire a much larger volume of metadata at a greatly expanded range of facilities,” while also modifying — and in some ways relaxing — the rules governing the handling of metadata. In the foreseeable future, NSA does not expect to implement the full scope of the requested authorization because of processing limitations. [redacted] Response at 1. Even so, NSA projects the creation of [redacted] metadata records per day during the period of the requested order, compared with the norm under prior orders of approximately [redacted] records per day. Id. That is roughly an 11- to 24-fold increase in volume.

Despite the leap in volume and the stated misgivings about the NSA’s ability to do its job properly, the court granted both the expansion and continuation of the program. The court asked for a few minimal concessions (limited to two “hops,” RAS [reasonable articulable suspicion) searches only, an expiration date on stored data [180 days for Americans, one year for the rest of the world], additional reporting from the NSA), but other than that, allowed the bastardization of the pen register statute to sail through. About the only roadblock erected is the declaration that the previously unauthorized collections summarized early in the opinion were effectively off limits to NSA analysts, thanks to wording contained in the FISA Act itself.

We’re still in the dark as to what specifically the NSA was authorized to collect under the heading of “metadata” in this program. The information we do have has come from Snowden’s document leaks, not from the DNI’s “magnanimous” compelled response to court orders. Considering so much of this info is already out in the open, you would think the ODNI would have applied the black pen a little less heavily.

What we have learned is that the FISA courts have been delivered report after report of abuse by the NSA and has, with rare exceptions, allowed the agency to continue its collections uninterrupted. The “rubber stamp” may be able to craft 100+ page opinions filled with sincere discussions of the program’s merits and the NSA’s seeming inability to not exceed its authority, but when it’s all said and done, the court allows the collections to proceed.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Declassified Opinion On Bulk Email Collection Details More Abuse By The NSA”

Subscribe: RSS Leave a comment
Anonymous Coward says:

So let me get this straight...

The NSA got was being scolded by the court for running violated constitutional rights, over collected data that they were not authorized to collect and misused that data such that there were rampant abuses such that the court determined that oversight measures designed to protect against such abuses were so ineffective that they might as well be non-existent. Then the NSA had the balls to try to tell the court that they couldn’t actually determine whether the programs were lawful or not but rather only whether the paperwork on the request was made properly. Then suggested that the solution to the overcollection issue was to expand it such that everything that they were collecting was then authorized (and more that they didn’t even plan on collecting, just to be on the safe side) and the court bought that and told them ok but here are a few little conditions so we can say we made you comply with something? WTF!?!

That’s like me catching my 6 year old daughter sneaking a cookie from the cookie jar and while I’m disciplining her for sneaking it she suggests that I just give her the whole jar (and a bag of candy too just so she won’t be tempted to sneak into that either) so that she can’t sneak cookies anymore and me saying “You know that’s a good idea, but go to your room to eat them so you can think about what you have done.” Who raised these people? I think a big group people need to literally walk into the FISA court wielding a big wooden paddles and put those judges over their knees to show them what discipline for bad behavior is really supposed to be like.

Anonymous Coward says:

The FISA court has been wanting the public to know it was not simply a rubber stamp. Yet it’s actions despite the problems it finds indicate preciously that.

Finding fault with programs and not demanding fixes means the court does not care enough about privacy to rule in favor of it. This looks like that without the adversarial process there is no one to remind the judge of what is important.

Further the longer this goes on, the more we learn about the abuses of the NSA and it’s fellow agencies all tied together. Basically they have ignored all Constitutional and judicial restraints that were inconvenient. Whenever possible, the National Secrets is used to prevent having to explain those outlandish violations on thresholds it was not supposed to cross. No one is guarding the hen house but the foxes.

Again we have damning evidence of just why the NSA needs to be terminated, all funding ceased to support it, until a through independent congressional investigation is conducted that is not bias and partisan to get to the bottom of just why the NSA thinks it can do as it has. Further it should be investigated from the congressional subcommittee in charge of Intelligence matters as to why they have failed to do their jobs as they have sworn to uphold the very constitution that the NSA is constantly violating. It should also continue from there right on their the office of the president.

Yah, I know that wishful thinking isn’t going to happen but it needs to in the worst sort of way, letting the chips fall where they may.

That One Guy (profile) says:

Re: Re:

Further it should be investigated from the congressional subcommittee in charge of Intelligence matters as to why they have failed to do their jobs as they have sworn to uphold the very constitution that the NSA is constantly violating.

I agree with the fact that the whole mess needs to be investigated(though I’d argue for a public investigation, they don’t care about our privacy, why should we care about theirs?), but that group is the last ones who should be involved in the investigation, given most of them are just as guilty as the NSA/FISA ‘court’ at coming up with justifications and cover-ups of what’s been happening.

Unless you meant to say that they should be investigated too, in which case I would be in complete agreement.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...