Latest FISA Court Order Details Why NSA Didn't Get Any 702 Requests Approved Last Year

from the hint:-a-datacenter's-worth-of-noncompliance dept

The latest document dump by the Office of the Director of National Intelligence (ODNI) -- which contains several documents pried loose by an ACLU FOIA lawsuit -- explains why the NSA ran through the entirety of 2016 without an approved Section 702 request from the FISA court. The short answer is a whole lot of noncompliance. So's the long answer:

After submitting its 2016 Certifications in September 2016, the Department of Justice and ODNI learned, in October 2016, about additional information related to previously reported compliance incidents and reported that additional information to the FISC. The NSA also self-reported the information to oversight bodies, as required by law. These compliance incidents related to the NSA’s inadvertent use of U.S. person identifiers to query NSA’s “upstream” Internet collection acquired pursuant to Section 702.

Pursuant to statutory requirements, the FISC was required to complete its review of the 2016 Certifications within 30 days of submission. See 50 U.S.C. § 1881a(i)(1)(B). Thus, the FISC had until October 26, 2016, to issue an order concerning the 2016 Certifications. However, after the October 2016 report to the FISC regarding improper queries, the FISC twice extended its time to consider the 2016 Certifications – first until January 31, 2017, and then until April 28, 2017 – in order to receive additional information about the compliance incidents and the Government’s plan to address them. See April 2017 Opinion at 3-4. The previous year’s certifications remained in effect during these extension periods.

Of note here is the fact that the court allowed 2015's certifications to remain in place despite even more reports of noncompliance by the NSA. Section 702 has been steadily abused, inadvertently or deliberately, since its inception in 2008 as part of the FISA Amendments Act.

Because the court was extremely hesitant to approve new searches under this authority, the agency apparently undertook a comprehensive overhaul of the program. The end result was the shutdown of the "about" collection -- an upstream dragnet for email communications that tended to grab a bunch of US persons' communications -- ones the NSA supposedly couldn't figure out how to separate from its non-domestic data.

The latest FISC opinion [PDF] -- roughly a month old at this point -- finally gives the NSA a 702 court order it can include in its next transparency report. The opinion doesn't spend much time chastising the agency for its long-running compliance issues but at least provides more examples of how little the NSA has done to prevent internal abuse of its collections. This abuse also includes the FBI, which has access to the NSA's raw, unminimized 702 data.

Since 2011, minimization procedures have prohibited use of U.S.-person identifiers to query the results of upstream Internet collection under Section 702. The October 26, 2016 Notice informed the Court that NSA had been conducting such queries in violation of that prohibition, with much greater frequency than had previously been disclosed to the Court… The government reported that the NSA IG and OCO were conducting other reviews covering different time periods, with preliminary results suggesting that the problem was widespread during all periods under review.

At the October 26, 2016 hearing, the Court ascribed the government's failure to disclose those IG and COO reviews at the October 4, 2016 hearing to an institutional "lack of candor" on part and emphasized that "this is a very serious Fourth Amendment issue."

Some of the compliance issues could be traced back to the NSA's querying system, which seemed built to ensure as many compliance issues as possible.

The January 3, 2017 Notice stated that "human error was the primary factor" in these incidents, but also suggested that system design issues contributed. For example, some systems that are used to query multiple datasets simultaneously required to "opt-out" of querying Section 702 upstream Internet data rather than requiring an affirmative "opt-in," which, in the Court's view, would have been more conducive to compliance.

The report also details further issues with the NSA and its data-sharing, including a heavily-redacted retelling of compliance issues at the FBI concerning dissemination of unminimized US persons' info (including to government contractors). While steps have now been put in place to prevent a recurrence, the court notes the government has routinely dragged its feet providing notice of misuse of surveillance databases.

Too often, however, the government fails to meet its obligation to provide prompt notification to the FISC when non-compliance is discovered. For example, it is unpersuasive to attribute -- even "in part" -- an eleven-month delay in submitting a preliminary notice to efforts to develop remedial steps… when the purpose of a preliminary notice is to advise the Court while investigation or remediation is still ongoing… The Court intends to monitor closely the timeliness of the government's reporting of non-compliance regarding Section 702 implementation.

And so it goes for 99 pages. Multiple compliance violations, multiple promises to do better next time by the government, and a handful of mild admonitions by the FISA judge. The most useful thing to come of this is the voluntary step the NSA took to end its "about" collection program, thus narrowing the number of incidentally-collected US persons' communications. While the court approves of this move, its approval means very little should the NSA decide to revive the program. Considering its lengthy run of compliance issues, it seems unlikely the agency will be in any hurry to defend a rollback of its rollback in a court that's heard about nothing but misuse and abuse of domestic communications for most of the last decade.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Stosh, 16 May 2017 @ 9:56am

    It's a good thing none of these multiple compliance violations could possibly be used for political purposes by those in power....

    reply to this | link to this | view in thread ]

  2. icon
    Ninja (profile), 16 May 2017 @ 10:18am

    I wonder how much of this was due to Snowden and the public debate he generated. You don't rubberstamp everything for years to suddenly stop because 'compliance issues'. Or so I'd think.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 16 May 2017 @ 10:42am

    "The end result"

    The end result was the shutdown of the "about" collection

    No, the result was the claimed shutdown of the "about" collection. What evidence do we have it's actually stopped? It's much more likely we have "a whole lot of noncompliance".

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 16 May 2017 @ 11:03am

    Re:

    You obviously know nothing of our government. The about collection is 100% shutdown. They now use the rights protecting concerning collection methods.

    reply to this | link to this | view in thread ]

  5. icon
    orbitalinsertion (profile), 16 May 2017 @ 1:53pm

    Re: "The end result"

    Clarification: The about collection program. They still have the same internet firehose as always.

    But anything running interference against them is good. A little bit here, a little bit there. If they have big enough internal problems that we hear about it, something is way off.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 16 May 2017 @ 2:41pm

    The most useful thing to come of this is the voluntary step the NSA took to end its "about" collection program, thus narrowing the number of incidentally-collected US persons' communications.

    You forgot "under this program".

    Actually, that whole sentence sounds like a WH press release. Very disappointing.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 16 May 2017 @ 4:50pm

    I hope those committing this maleficence know the meaning of sedition.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 16 May 2017 @ 5:06pm

    Unconstitutional

    Since the NSA was created unilaterally and without the input of congress or the American people, all of its domestic collection is illegal and against the very foundation of this country. You cannot give up liberty to receive freedom, you lose both.

    reply to this | link to this | view in thread ]

  9. identicon
    Chuck, 16 May 2017 @ 8:10pm

    IP Filter, guys?

    Why can't the NSA learn how to use an IP address filter?

    I mean, they're claiming that they can't filter out which emails are domestic vs. which are foreign, right? And we already know exactly which IP addresses are allotted to American ISPs, right?

    I mean, sure, an IP address is not a person, true. But it IS a location. And we know where those locations are. At least whether they're in New Jersey or New Delhi, anyway. So wouldn't a basic, simple, any-village-idiot-can-do-it-on-a-$29-router IP filter solve this problem?

    And before one of you pipes up with "yeah but that might limit them and some terrorist might get through" just remember that the Section 702 program has NEVER, EVER STOPPED A SINGLE TERRORIST, EVER, PERIOD. Some of these programs can point to a small handful of successes, but 702 is the only one we know of that has literally never provided a single piece of actionable intel or led to preventing any terrorist activity, ever. Nine f**king years of violating our privacy, and they can't even show a single example of improving our security, ever, at all.

    It's bad enough that we're trading privacy for security in the first place, but with 702, we aren't even getting the security! Hell, we're not even getting decent security theater out of this crap!

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 16 May 2017 @ 8:57pm

    Re: IP Filter, guys?

    Why can't the NSA learn how to use an IP address filter?

    Why should they? When the courts force them to, they'll say they've started filtering. Until then, why even bother to lie?

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.