James Clapper's Latest Section 215 Doc Release Shows NSA Behavior, Redaction Skills Both Questionable
from the unofficial-doc-releases-still-preferable,-easier-to-read dept
The ODNI released another batch of Section 215 court orders on Friday, and as usual, it was prefaced with the same statement by James Clapper that obfuscates the fact that these document releases were compelled by an EFF lawsuit.
These releases reflect the Executive Branch’s continuing commitment to make information about the implementation of Sections 501 and 702 publicly available when appropriate, while ensuring the protection of the national security of the United States.
I’m not entirely sure the Executive Branch’s “commitment” is any less compelled than the ODNI’s document releases. Obama has said he “welcomes the debate” on national security, but it’s a bit like “welcoming” someone who has kicked in your door and made himself comfortable on your couch. It’s more “confrontation” than “conversation.”
Either way, there’s not a ton of surprising stuff in these documents, thanks to the release of an unredacted court order by The Guardian back in June of last year. The verbiage has morphed over the last several years (the docs released date back to 2006 — the point at which the collection was “authorized”) with the greatest changes occurring after Judge Walton nearly shut the program down (for “systemic abuse” of the collection since its inception three years earlier) in March of 2009.
Here’s what’s worth noting from the latest ODNI document dump.
A footnote that appears in many of the orders gives us some idea how many numbers have made their way back to the FBI since the program’s inception. The earliest order released (dated 8-18-06) states this:
The Court understands that NSA expects that it will continue to provide on average approximately two telephone numbers per day to the FBI.
Three months later (11-13-06), the number of “tips” increases:
The Court understands that NSA expects that it will continue to provide on average approximately three telephone numbers per day to the FBI.
There may be several redundancies in the NSA’s tipped numbers (presumably the NSA doesn’t concern itself with ensuring it hasn’t tipped a number before) but the raw numbers indicate the FBI is receiving 1,095 tips per year, per telco. It’s by no means a massive number compared to the entire collection, but it’s still a lot of numbers for the nation’s second largest national security agency to investigate.
The next point of interest appears in an amendment to a 2007 order, this one signed by Judge Kollar-Kotelly. Whatever the NSA was searching its collection for apparently didn’t fall within the normal “counterterrorism” confines. The text is very heavily redacted, but the words remaining around the edges suggest a non-national security target.
3. The results of each such query shall be segregated to the extent feasible until BR 07-10 expires or [xxxxxxxxxx] whichever comes first.
4. Upon the conclusion of [xxxxxxxxx] or at the time of the renewal application, whichever comes first, NSA shall submit a written report to the Court stating why the results of any query conducted pursuant to this Motion should not be destroyed.
5. This amendment is strictly limited to allowing queries of the metadata [xxxxxxxxx] and does not apply to queries for the purpose of [xxxxxxxxx].
[The text doesn’t show the lengths of the redacted areas, so this screencap might be a little more relevant.]
As of January 2008, querying the metadata database was restricted to approval by “one of eight people.” But by the following order (04-03-08), this number had mysteriously swelled to twenty-three. There’s no documentation or explanation given for the expanded roster of query-approval personnel on what is basically the renewal of the previous court order. (This one is signed by a different judge, however.) This may be just be one example of the “systemic abuse” called out by Judge Walton in his near-dismantling of the program — a tripling of query approvers for a database whose access was supposed to be very strictly controlled.
What is likely Judge Walton’s first court order since his February 2008 order temporarily halting the NSA’s bulk records collection notes that approvals to search the database will only be approved on a case-by-case basis until further notice. Unfortunately, this order also gives the agency a convenient way to avoid having to seek the court’s prior approval.
[I]f the government determines that immediate querying of the BR metadata through contact chaining [xxxxxxxxxxxxxxx] is necessary to protect against an imminent threat to human life, the government may query the BR metadata for such purpose. In each such. case falling under this latter category, the government shall notify the Court of the access, in writing, no later than 5:00 Eastern Time on the next business day after such access.
Walton’s court order dated Feb. 26, 2010 contains a number of new additions not seen in previous orders. Most notably, it details the NSA’s (compelled) decision to fix its software to limit the number of “hops” an analyst could take during contact chaining.
In addition, the Court understands from the Declaration of Lieutenant General Keith B. Alexander, Director of NSA (Ex. A to the Report of the United States filed in docket number BR on August 17,2009) that NSA has made a number of technical modifications that will prohibit a) from inadvertently accessing the BR metadata in [xxxxxxx]; b) from querying the BR metadata in [xxxxxxx] with non-RAS-approved identifiers; and c) from going beyond three “hops” from an identifier used to query the BR metadata in [xxxxxxx].
How many “hops” did NSA analysts (this same order notes there are 125 analysts* approved to search the BR database) take before this implementation? Three years down the road from the program’s beginning, the NSA is finally forced to admit it has a problem (well, several actually) and implemented the sort of software-based restrictions it should have had in place in 2006.
* This number seems to have been redacted needlessly in the renewal of the February court order.
It also notes the administration will be given access to BR data in order to “determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings.” The follow-up question (which still has no real answer) is what does the Executive Branch do with this info? Does it get buried? Is it barred from being admitted as evidence because it would “damage national security,” even though it could spring an innocent person? From what we’ve seen in previous cases, it appears as though the government is more willing to imprison someone than allow surveillance data to be admitted as evidence.
Also of note is this particular redaction, the length of which indicates this order is aimed at AT&T. (Gotta love monospaced fonts.)
This isn’t the only document in which the NSA exposes something inadvertently. A January 2011 court order duly redacts anything worth noting, including the recipient of the order, right up until page 4, where this slips through.
Finally, two supplemental orders from 2011 indicate the NSA was also gathering credit card information along with the rest of the metadata, possibly inadvertently. Both contain the following paragraph.
It is hereby ORDERED that such reports, in addition to the elements described in Paragraph shall include a discussion of NSA’s consideration and, to the extent feasible, implementation of methods of purging the credit card information produced by [xxxxxxx] and described in letters submitted by the government on March 1, 2011, and April 13, 2011, in Docket Nos. BR 10-49 and BR 10-70.
Note the time difference between the letters from the government and the orders to which they refer. Both BR collections were authorized by court orders in 2010 (10-49 was signed 08-04-10 and 10-70 on 10-29-10). At the very least, the NSA was sweeping up credit card info for nearly six months before it was pointed out.
What these documents show is that the NSA does have several layers of accountability and oversight, much of which has been in place since the inception of the Section 215 program. Unfortunately, most of these controls are internal, making the word “oversight” rather meaningless. As Walton discovered before issuing his order halting the program, any oversight outside of the agency had to rely on the NSA’s portrayal of its activities, something that was rarely accurate.
And there’s reason to believe that much of what was implemented as a result of Walton’s court order has been less than rigorously enforced over the last few years. The orders following this pivotal point ran 10-13 pages and were loaded with restrictions and reporting requirements. The order leaked by Snowden from April 2013 runs only 4 pages and limits disclosure of the data, but very little else. The extensive reporting requirements implemented in 2009, as well as the stipulations restricting the number of people authorized to give query approval, are no longer present. Given what happened during the first three years of the program, this lack of mandated controls doesn’t exactly inspire confidence that abuses aren’t ongoing.