Latest FISA Court Order Details Why NSA Didn't Get Any 702 Requests Approved Last Year

Legal Issues

from the hint:-a-datacenter's-worth-of-noncompliance dept

The latest document dump by the Office of the Director of National Intelligence (ODNI) — which contains several documents pried loose by an ACLU FOIA lawsuit — explains why the NSA ran through the entirety of 2016 without an approved Section 702 request from the FISA court. The short answer is a whole lot of noncompliance. So’s the long answer:

After submitting its 2016 Certifications in September 2016, the Department of Justice and ODNI learned, in October 2016, about additional information related to previously reported compliance incidents and reported that additional information to the FISC. The NSA also self-reported the information to oversight bodies, as required by law. These compliance incidents related to the NSA’s inadvertent use of U.S. person identifiers to query NSA’s “upstream” Internet collection acquired pursuant to Section 702.

Pursuant to statutory requirements, the FISC was required to complete its review of the 2016 Certifications within 30 days of submission. See 50 U.S.C. § 1881a(i)(1)(B). Thus, the FISC had until October 26, 2016, to issue an order concerning the 2016 Certifications. However, after the October 2016 report to the FISC regarding improper queries, the FISC twice extended its time to consider the 2016 Certifications – first until January 31, 2017, and then until April 28, 2017 – in order to receive additional information about the compliance incidents and the Government’s plan to address them. See April 2017 Opinion at 3-4. The previous year’s certifications remained in effect during these extension periods.

Of note here is the fact that the court allowed 2015’s certifications to remain in place despite even more reports of noncompliance by the NSA. Section 702 has been steadily abused, inadvertently or deliberately, since its inception in 2008 as part of the FISA Amendments Act.

Because the court was extremely hesitant to approve new searches under this authority, the agency apparently undertook a comprehensive overhaul of the program. The end result was the shutdown of the “about” collection — an upstream dragnet for email communications that tended to grab a bunch of US persons’ communications — ones the NSA supposedly couldn’t figure out how to separate from its non-domestic data.

The latest FISC opinion [PDF] — roughly a month old at this point — finally gives the NSA a 702 court order it can include in its next transparency report. The opinion doesn’t spend much time chastising the agency for its long-running compliance issues but at least provides more examples of how little the NSA has done to prevent internal abuse of its collections. This abuse also includes the FBI, which has access to the NSA’s raw, unminimized 702 data.

Since 2011, minimization procedures have prohibited use of U.S.-person identifiers to query the results of upstream Internet collection under Section 702. The October 26, 2016 Notice informed the Court that NSA had been conducting such queries in violation of that prohibition, with much greater frequency than had previously been disclosed to the Court… The government reported that the NSA IG and OCO were conducting other reviews covering different time periods, with preliminary results suggesting that the problem was widespread during all periods under review.

At the October 26, 2016 hearing, the Court ascribed the government’s failure to disclose those IG and COO reviews at the October 4, 2016 hearing to an institutional “lack of candor” on part and emphasized that “this is a very serious Fourth Amendment issue.”

Some of the compliance issues could be traced back to the NSA’s querying system, which seemed built to ensure as many compliance issues as possible.

The January 3, 2017 Notice stated that “human error was the primary factor” in these incidents, but also suggested that system design issues contributed. For example, some systems that are used to query multiple datasets simultaneously required to “opt-out” of querying Section 702 upstream Internet data rather than requiring an affirmative “opt-in,” which, in the Court’s view, would have been more conducive to compliance.

The report also details further issues with the NSA and its data-sharing, including a heavily-redacted retelling of compliance issues at the FBI concerning dissemination of unminimized US persons’ info (including to government contractors). While steps have now been put in place to prevent a recurrence, the court notes the government has routinely dragged its feet providing notice of misuse of surveillance databases.

Too often, however, the government fails to meet its obligation to provide prompt notification to the FISC when non-compliance is discovered. For example, it is unpersuasive to attribute — even “in part” — an eleven-month delay in submitting a preliminary notice to efforts to develop remedial steps… when the purpose of a preliminary notice is to advise the Court while investigation or remediation is still ongoing… The Court intends to monitor closely the timeliness of the government’s reporting of non-compliance regarding Section 702 implementation.

And so it goes for 99 pages. Multiple compliance violations, multiple promises to do better next time by the government, and a handful of mild admonitions by the FISA judge. The most useful thing to come of this is the voluntary step the NSA took to end its “about” collection program, thus narrowing the number of incidentally-collected US persons’ communications. While the court approves of this move, its approval means very little should the NSA decide to revive the program. Considering its lengthy run of compliance issues, it seems unlikely the agency will be in any hurry to defend a rollback of its rollback in a court that’s heard about nothing but misuse and abuse of domestic communications for most of the last decade.

Filed Under: abuse, fisa court, fisc, nsa, section 702, surveillance