Inspector General's Report Shows Section 702 Isn't The Only Thing Being Abused By The NSA
from the does-the-NSA-even-understand-the-concept-of-'internal-controls?' dept
There’s more than Section 702 up for renewal at the end of this year. Most of the attention has been focused on Section 702 because it’s used most frequently for internet communications and data collections. Not only does the NSA make use of this collection, but other agencies (FBI, CIA) are allowed unminimized access to NSA 702 data stores. With this many agencies reliant on NSA communications interception, the sales pitches have been focusing on this particular authority.
But there are other surveillance authorities under Title VII: Sections 704 and 705, which allow the NSA to target US persons located outside of the country. The numbers put up by these sections aren’t as impressive as Section 702’s (~3,000 selectors for 151 million records), but 704/705 isn’t supposed to result in incidental collection. It’s a US spy agency actively spying on US citizens.
According to Marcy Wheeler, these collections only target about 80 people. But protections for US citizens aren’t supposed to evaporate just because they’ve travelled out of the country. Agencies seeking to use these authorities must obtain a FISA court order to collect communications and data. Section 704 covers new requests for collections and Section 705 allows for “streamlined” requests/renewals for orders covering US persons already targeted by the agency.
The NSA may be compliant in terms of obtaining court orders, but the 2016 Inspector General’s report [PDF] released last week shows the agency has done almost nothing to prevent abuse of its collections.
At the time of our review, the Agency could not reliably identify queries performed using selectors associated with FAA 704 and 705(b) targets because the SIGINT databases did not uniformly send records in the correct format to [REDACTED] (NSA’s SIGINT auditing and logging system).
We identified [REDACTED] queries that were not compliant with the FAA 704 and 705(b) targeting and minimization procedures. [LONG REDACTION] We identified another [REDACTED] queries that were performed outside the targeting authorization periods in E.O. 12333 data, which is prohibited by the E.O. 12333 minimization procedures. We also identified [REDACTED] queries performed using USP slectors in FAA 702 upstream data, which is prohibited by the FAA 702 minimization procedures.
According to the NSA, the problem is its own software. These collections are obtained beforehand. The FISA orders only limit what analysts can search for in the collected data. Everything apparently funnels into one big pile, and it’s up to analysts to search according to the controlling statute (702, 704, 705, or Executive Order 12333). The problem is the NSA’s system immediately gives access to “all authorities to which analysts are entitled access.” Someone who’s supposed to be performing a more limited search under 704 may not take steps to remove 702 collections from the queried data or add the limiters needed to ensure proper minimization of US persons’ communications.
That’s already a terrible way to handle the querying of NSA collections. The default is everything, and affirmative, unprompted steps must be taken by analysts to ensure their queries are lawful. Making it worse is the issue the IG first mentioned: the NSA has no system for tracking possibly-prohibited searches.
Then there’s this wrinkle in the statutory authorities the NSA seems unable to comply with: the NSA cannot engage in domestic surveillance so its targeting of US persons overseas must end when the US person arrives back on US soil. Possible violations of this nature were, again, not being tracked by the NSA.
FAA 704 and 705(b) targeting and minimization procedures prohibit targeting USPs while they are in the United States. Although the Agency is not required to document [REDACTED], maintaining these records is important for securing compliance with the targeting and minimization procedures.
The upshot of this report is that the NSA has probably engaged in wholly domestic surveillance thanks to lax recordkeeping and its all-access internet communications haystack. Having to get permission from the FISA court to search collected records is an important step, but it’s completely meaningless when analysts are given full access to data stores under multiple authorities and expected to “opt out” of potentially unlawful searches.
As Marcy Wheeler points out in her post about 704/705 violations, the NSA is a “dumpster fire of noncompliance.” She points to a just-released opinion by FISC judge Rosemary Collyer, in which the judge notes the NSA’s new 704/705 search tool (put in place in 2012) resulted in far more violations than approved searches.
NSA examined all queries using identifiers for “U.S. persons targeted pursuant to Sections 704 and 705(b) of FISA using the tool [redacted] in [redacted] . . . from November 1, 2015 to May 1, 2016.” Id. at 2-3 (footnote omitted). Based on that examination, “NSA estimates that approximately eighty-five percent of those queries, representing [redacted] queries conducted by approximately [redacted] targeted offices, were not compliant with the applicable minimization procedures.” Id. at 3. Many of these non-compliant queries involved use of the same identifiers over different date ranges. Id. Even so, a non-compliance rate of 85% raises substantial questions about the propriety of using of [redacted] to query FISA data. While the government reports that it is unable to provide a reliable estimate of the number of non-compliant queries since 2012, id., there is no apparent reason to believe the November 2015-April 2016 period coincided with an unusually high error rate.
In other words, the tool was broken from the moment it was introduced and very likely resulted in four out of every five searches being noncompliant over that four-year period. This is the sort of thing that will be glossed over during the run up to renewal, with the NSA touting its multiple layers of oversight and rigorous self-reporting as reasons it should be given extended permission to engage in future noncompliance.