Inspector General's Report Shows Section 702 Isn't The Only Thing Being Abused By The NSA

from the does-the-NSA-even-understand-the-concept-of-'internal-controls?' dept

There's more than Section 702 up for renewal at the end of this year. Most of the attention has been focused on Section 702 because it's used most frequently for internet communications and data collections. Not only does the NSA make use of this collection, but other agencies (FBI, CIA) are allowed unminimized access to NSA 702 data stores. With this many agencies reliant on NSA communications interception, the sales pitches have been focusing on this particular authority.

But there are other surveillance authorities under Title VII: Sections 704 and 705, which allow the NSA to target US persons located outside of the country. The numbers put up by these sections aren't as impressive as Section 702's (~3,000 selectors for 151 million records), but 704/705 isn't supposed to result in incidental collection. It's a US spy agency actively spying on US citizens.

According to Marcy Wheeler, these collections only target about 80 people. But protections for US citizens aren't supposed to evaporate just because they've travelled out of the country. Agencies seeking to use these authorities must obtain a FISA court order to collect communications and data. Section 704 covers new requests for collections and Section 705 allows for "streamlined" requests/renewals for orders covering US persons already targeted by the agency.

The NSA may be compliant in terms of obtaining court orders, but the 2016 Inspector General's report [PDF] released last week shows the agency has done almost nothing to prevent abuse of its collections.

At the time of our review, the Agency could not reliably identify queries performed using selectors associated with FAA 704 and 705(b) targets because the SIGINT databases did not uniformly send records in the correct format to [REDACTED] (NSA's SIGINT auditing and logging system).

[...]

We identified [REDACTED] queries that were not compliant with the FAA 704 and 705(b) targeting and minimization procedures. [LONG REDACTION] We identified another [REDACTED] queries that were performed outside the targeting authorization periods in E.O. 12333 data, which is prohibited by the E.O. 12333 minimization procedures. We also identified [REDACTED] queries performed using USP slectors in FAA 702 upstream data, which is prohibited by the FAA 702 minimization procedures.

According to the NSA, the problem is its own software. These collections are obtained beforehand. The FISA orders only limit what analysts can search for in the collected data. Everything apparently funnels into one big pile, and it's up to analysts to search according to the controlling statute (702, 704, 705, or Executive Order 12333). The problem is the NSA's system immediately gives access to "all authorities to which analysts are entitled access." Someone who's supposed to be performing a more limited search under 704 may not take steps to remove 702 collections from the queried data or add the limiters needed to ensure proper minimization of US persons' communications.

That's already a terrible way to handle the querying of NSA collections. The default is everything, and affirmative, unprompted steps must be taken by analysts to ensure their queries are lawful. Making it worse is the issue the IG first mentioned: the NSA has no system for tracking possibly-prohibited searches.

Then there's this wrinkle in the statutory authorities the NSA seems unable to comply with: the NSA cannot engage in domestic surveillance so its targeting of US persons overseas must end when the US person arrives back on US soil. Possible violations of this nature were, again, not being tracked by the NSA.

FAA 704 and 705(b) targeting and minimization procedures prohibit targeting USPs while they are in the United States. Although the Agency is not required to document [REDACTED], maintaining these records is important for securing compliance with the targeting and minimization procedures.

The upshot of this report is that the NSA has probably engaged in wholly domestic surveillance thanks to lax recordkeeping and its all-access internet communications haystack. Having to get permission from the FISA court to search collected records is an important step, but it's completely meaningless when analysts are given full access to data stores under multiple authorities and expected to "opt out" of potentially unlawful searches.

As Marcy Wheeler points out in her post about 704/705 violations, the NSA is a "dumpster fire of noncompliance." She points to a just-released opinion by FISC judge Rosemary Collyer, in which the judge notes the NSA's new 704/705 search tool (put in place in 2012) resulted in far more violations than approved searches.

NSA examined all queries using identifiers for “U.S. persons targeted pursuant to Sections 704 and 705(b) of FISA using the tool [redacted] in [redacted] . . . from November 1, 2015 to May 1, 2016.” Id. at 2-3 (footnote omitted). Based on that examination, “NSA estimates that approximately eighty-five percent of those queries, representing [redacted] queries conducted by approximately [redacted] targeted offices, were not compliant with the applicable minimization procedures.” Id. at 3. Many of these non-compliant queries involved use of the same identifiers over different date ranges. Id. Even so, a non-compliance rate of 85% raises substantial questions about the propriety of using of [redacted] to query FISA data. While the government reports that it is unable to provide a reliable estimate of the number of non-compliant queries since 2012, id., there is no apparent reason to believe the November 2015-April 2016 period coincided with an unusually high error rate.

In other words, the tool was broken from the moment it was introduced and very likely resulted in four out of every five searches being noncompliant over that four-year period. This is the sort of thing that will be glossed over during the run up to renewal, with the NSA touting its multiple layers of oversight and rigorous self-reporting as reasons it should be given extended permission to engage in future noncompliance.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    051717, 17 May 2017 @ 5:03am

    Get used to it

    Bottom line is that NSA can not be effectively controlled by Congress, the courts, or Presidents... and thus routinely operates outside U.S. law.
    It is literally an outlaw entity.

    Congress could end all NSA funding-- "pull the plug" as the ultimate control mechanism, but the unfortunate reality is that Congress really likes NSA's spectacular surveillance capabilities-- and is not seriously concerned by its constant criminal activities.
    That status quo will persist at least for our lifetimes. Get used to it.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 17 May 2017 @ 5:20am

    Re: Get used to it

    The problem is that congress, the courts and Presidents are not effectively controlled by the citizenry.

    reply to this | link to this | view in thread ]

  3. identicon
    Capt ICE Enforcer, 17 May 2017 @ 7:34am

    Beta version.

    If only the NSA, FBI, CIA, XXX, and any other 3 letter agency had some smart computer programmers who could help fix these zero day bugs. This wouldn't be an issue.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 17 May 2017 @ 8:32am

    about time the USA and the rest of the World wisened up to the fact that, not just the NSA, but all USA security services think they are above any law in any country and can just do as they damn well please!!

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 17 May 2017 @ 3:03pm

    Re: Get used to it

    "That status quo will persist at least for our lifetimes. Get used to it."

    • Get used to it, Gandhi. The British will always rule India.
    • Get used to it, Continental Congress. The British will always rule the colonies.
    • Get used to it, Suffragettes. Women will never be allowed to vote.
    • Get used to it, Abolitionists. The US will always keep slaves.
    • Etc....

    Your cowardly acquiescence makes me sick and you should be ashamed of it. Going forward, please keep your crybaby fear talk to yourself.

    Either grow a pair - or - go crawl back in your hole and bitch to the other cowards while everyone else fights. As you are now, you're worse than useless.

    Now as for everyone else...

    Whatever the hell you do, don't "get used to it". Fight it as if you're fighting for your way of life; as if for your very freedom. Because that's exactly what's happening here. And YES, this absolutely CAN be addressed in our lifetimes. Step 1: Don't accept this extremely dangerous criminal violation of the 4th Amendment as "just the way it is".

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 17 May 2017 @ 3:12pm

    Re: Re: Get used to it

    Accepting the unacceptable in the name of "realism" is a time honored pastime of the the coward and propagandist alike.

    reply to this | link to this | view in thread ]

  7. identicon
    Wendy Cockcroft, 18 May 2017 @ 5:31am

    Re: Re: Get used to it

    Nail. Hit. On. Head.

    Now what? We need to be making use of town hall meetings to hold our representatives to account. The democratic process works perfectly well when applied, we just need to get off our behinds and get involved.

    reply to this | link to this | view in thread ]

  8. identicon
    David, 20 May 2017 @ 12:02pm

    I'm shocked, shocked to hear that illegal eavesdroppings have been going on!

    Your transcripts, Sir!

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Math Is Not A Crime
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.