Latest (Official) Document Release Takes A Look At The NSA's Bulk Collection Of Financial Records
from the phone-records-still-hogging-the-spotlight,-though dept
Three more documents have been pried from the cold, decidedly-not-dead hands of the Office of the Director of National Intelligence. Rather than tell us how INTERESTED the intelligence "community" is in this dialogue it's been forced into by leaked documents, the ODNI unceremoniously dumped these on the national desktop before skipping town for the weekend. At least this time, it had the decency to namecheck the EFF's FOIA lawsuit, albeit over at Twitter rather than at the official ODNI blog.
There are three documents this time around, one of which is an update of Judge Walton's corrective measures put in place after discovering the agency's phone metadata program had not been run correctly since its institution. It's a good read but most of it's been covered here before.
The most notable aspect is a discussion of the "alert list," the numbers the NSA used to search incoming phone records. As of 2006, the NSA had 3,980 phone numbers on the list, all of which were deemed to meet the "RAS (reasonable articulable suspicion) standard." This was what was represented to the court. But it was discovered that many more than that had been used for queries without RAS or court approval.
Unfortunately, the universe of compliance matters that have arisen under the Court's Orders for this business records collection extends beyond the events described above. On October 17, 2008, the govemment reported to the FISC that, after the FISC authorized the NSA to increase the number of authorized to access the BR metadata to 85, the NSA trained those newly authorized on Court-ordered procedures. Despite this training, however, the NSA subsequently determined that 31 NSA analysts had queried the BR metadata during a five day period in April 2008 "without being aware they were doing so." (emphasis added [by Judge Walton]). As a result, the NSA used 2,373 foreign telephone identifiers to query the BR metadata without first determining that the reasonable articulable suspicion standard had been satisfied.That's five days worth of searching records with 2,373 numbers that didn't meet the FISC court's standards or the NSA's own stated minimization procedures, with a possible three "hops" worth of data added. As the court has pointed out before, bypassing these standards makes the harvesting of this data illegal.
Regardless of what factors contributed to making these misrepresentations, the Court finds that the government's failure to ensure that responsible officials adequately understood the NSA's alert list process, and to accurately report its implementation to the Court, has prevented, for more than two years, both the government and the FISC from taking steps to remedy daily violations of the minimization procedures set forth in FISC orders and designed to protect [redacted] call detail records pertaining to telephone communications of U.S. persons located within the United States who are not the subject of any FBI investigation and whose call detail information could not otherwise have been legally captured in bulk.Illegal capture of data that went unhindered for two years, despite daily violations. Who's looking out for Americans? Well, supposedly it's the good people at the NSA, along with its various levels of oversight. But if the oversight only gets its "facts" from the NSA, it's hardly in any place to provide oversight.
Also included in this document dump is another FISA court order limiting the NSA to court-approved searches (with emergency exceptions). Again, this is a direct result of the NSA's continued failure to abide by the limitations of the law and its own internal policies.
The most interesting document is a supplemental order from the FISA court, which serves to remind everyone that Section 215 covers a whole lot more than just telephone metadata.
The RFPA generally provides that "no Government authority" may obtain "financial records" from a "financial institution" unless one of several exceptions applies. fig 12 U.S.C. 3402; see also id, 3403. Under one of those exceptions, the FBI may, without prior judicial review, compel a financial institution to produce financial records, provided that a designated FBI official has certified that the records are relevant to an authorized foreign intelligence investigation. 50 U.S.C. 34l4(a)(5)(A). Pursuant to Section 1861, the government may request, and this Court may grant, "an order requiring the production of Q1 tangible things (including books, records, papers, documents, and other items)" 50 U.S.C. 1861(a)(1) (emphasis added). Section 1861 requires the government to provide the Court with a "statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant" to a foreign intelligence investigation, id, 1861(b)(2)(A), and the Court to determine that the application satisfies this requirement, 5; id 1861(c)(l), before records are ordered to be produced.So, under the same authority, the FBI (and consequently, the NSA) is allowed to collect almost any "business record," provided it is deemed "relevant" to a foreign intelligence investigation. Marcy Wheeler suggests that this collection of financial records may explain the spike in FISC orders that began in 2010.
Although the RFPA contains no provision explicitly allowing the production of financial records pursuant to a Section 1861 order, the Court agrees with the government that it would have been anomalous for Congress to have deemed the FBI's application of a "relevance" standard, without prior judicial review, sufficient to obtain records subject to the RFPA, but to have deemed this Court's application of a closely similar "relevance" standard insufficient for the same purpose.
In addition, the number Section 215 orders started going up drastically in 2010, along with the number of orders the FISC modified to require minimization procedures.Phone metadata has been the issue on everyone's minds these past few weeks, but the reality is that the NSA is collecting several other bulk records under the same authority. And these are all obtained under the pretense that they're somehow "relevant" to a terrorist-related investigation, even though they're gathered in bulk and any minimization procedures can only be speculated on at this point in time.
Nevertheless, the reports show us two new things.
I’ve suggested that 176 modified applications may suggest the government has as many as 44 bulk collection programs, which would be renewed every three months (or, alternately, a whole lot more specific bulk collection orders).
That is, this rise in what are almost certainly bulk collection orders came around the same time as FISC “Bates-stamped” the collection of financial records with Section 215.
Even "just metadata" from phone records can paint a pretty accurate picture about someone "incidentally" caught up in the NSA's dragnet. Add another few dozen forms of "metadata" and it's pretty much indistinguishable from giving the agency unfettered access to the everyday lives of millions of people.