2008 FISA Transcript Shows NSA Already Knew It Might Have An Incidental Collection Problem

from the where-'about'-means-'how-about-we-just-collect-it-all?' dept

The ODNI has released several documents in response to FOIA lawsuits (EFF, ACLU). The EFF scored 18 of these (handy zip link here) and the ACLU seven. The ACLU's batch has proven more interesting (at least initially). One document it obtained shows a tech company challenged a Section 702 surveillance order in 2014. The challenge was shut down by the FISA court, but with the exception of Yahoo's short-lived defiance, we haven't seen any other evidence of ISP resistance to internet dragnet orders.

Included in the ACLU's batch is a 2008 FISA Court transcript [PDF] that's particularly relevant to the NSA's voluntary shutdown of its "about" collection. In it, the NSA discusses its filtering and oversight procedures, which were already problematic nearly a decade ago.

There are some really interesting tidbits to be gleaned from the often heavily-redacted proceedings, including this statement, which makes it clear the NSA engaged in wholly-domestic surveillance prior to the FISA Amendments Act.

THE COURT: All right. Well, what about the non-U.S. person status, which of course is new under the FISA Amendments Act? Are you going to be changing anything in terms of focusing on that?

[REDACTED GOV'T RESPONDENT]: We already sort of do with respect to the U.S. person status is so intertwined with the location of the target [REDACTED] to the extent that in the past NSA.would actually affirmatively identify targeted U.S. persons to us on the sheets, because one of the additional fields that they put in the sheets is basically a blurb, an explanation and a description of the target.

Clearly, we're not allowed to target US persons anymore, so I don't anticipate seeing any such descriptions on the sheets. But again, since the status of the person, the determination of how that is made is so intertwined with the same information upon which NSA relies to make a foreignness determination, that it would be hard for us not to identify such information as we're conducting the reviews.

Which, of course, means the NSA was allowed to target US persons and their communications previously, contradicting statements made by US officials, including President George W. Bush and Vice President Dick Cheney.

It's stated earlier in the transcript that the NSA does a few things to help minimize examination of US persons' communications. But they're not great. The NSA runs spot checks on analysts' transactions, deploys filters, and relies on self-reporting to guard against Fourth Amendment violations. It sounds like quite a bit, but the details show it's not nearly enough. To start with, the filters meant to filter out US persons' communications don't work.

COURT: The NSA minimization procedures, you're stating, 'contain a provision for allowing retention of information because of limitations on NSA's ability to filter communications.' My question I had was is the filter discussed in targeting the same filtering. I just wanted to understand that, and apparently it is. [The rest of the court's question is redacted.]

GOV'T: I think the inclusion of that provision in the minimization procedures was intended to be prophylactic in the event that the filters don't necessarily work, and NSA has represented that it's been their experience with the filters and [redacted] this provision basically captures instances where the filters may not work in every instance.

And there's a good reason why they won't work "in every instance." Further unredacted discussion reveals the NSA partially relies on an IP address blacklist to filter out US persons' communications. This is better than nothing, but still a long way from being a strong positive indicator of a target's (or incidental target's) location.

The court then asks about the limitations of the filters and… we get several fully-redacted pages as an answer.

The court also asks about the "about" collection -- where targets are discussed but the communications do not directly involve NSA targets.The judge wants to know how often this is being used rather than the more-targeted "to/from" collection and how often it results in incidental collection. Unsurprisingly, the government can't say how often this happens. This is because the NSA saw no reason to track these searches.

GOV'T: As far as the percentage number, we don't have a number for that, because as I mentioned earlier, when we [redacted] we find to's and froms and [redacted] so we don't categorize those separately to be able to count those communications as abouts.

The court then asks why it's not possible to limit the collection to to's and froms. The government's response is that collecting it all just works better for the NSA, even though it apparently possesses the technical ability to keep these collections separate.

It is technically feasible. The problem with doing so is if you end up discarding a number of communications that are truly to-froms that you should be able to collect but [redacted]...

So by trying to limit us to no abouts, then we end up cutting out those kind of communications as well, truly to-froms. So it would be -- we're not surgical enough to take that out of the equation without impacting our ability to do to-froms effectively.

And later in the discussion, there's a bit of a bombshell about the "about" collection. The NSA shut it down because it couldn't find a way to prevent incidental collection of US persons' communications. In this transcript, the government points out incidental collection is just as likely with to-from targeting.

COURT: Is it more or less likely to pick up U.S.-person information in an about than a to or from?

MR. OLSEN: I don't know the answer in practice. At least from my perspective in theory, I wouldn't see why it would be more likely than a targeted to or from collection where the target's outside the United States where there's a similar possibility that that target would be in communication with someone in the United States, with a U.S. person in the United States.

If this is true, the elimination of the "about" collection doesn't do much to curtail incidental collection. And almost a decade ago, the NSA was already making it "impossible" to comply with Congressional requests for incidental collection numbers by refusing to separate its collections, even with the FISA Court raising questions about its Fourth Amendment implications.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    stine, 16 Jun 2017 @ 5:13am

    you're kind of naive

    > Which, of course, means the NSA was allowed to target US persons and their communications previously, contradicting statements made by US officials, including President George W. Bush and Vice President Dick Cheney.

    You're kind of naive, and you're young. I can remember using this joke in the late 1970's:
    Do you know how to apply for a job at the NSA?
    Call your grandmother and ask for an application.

    I used to think that was a pretty good joke, considering that my grandmother's phone, at the time, was a party-line.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2017 @ 7:06am

    > So by trying to limit us to no abouts, then we end up cutting out those kind of communications as well

    By George, I think he's got it!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2017 @ 7:25am

    Not sure how I feel about this article. Very thin. In 2002, Thomas Drake brought to senior leadership of the NSA that they were violating the Constitution by picking up citizens communications.

    So they new about it at least in 2002, not later in 2008.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2017 @ 11:14am

    The court then asks why it's not possible to limit the collection to to's and froms. The government's response is that collecting it all just works better for the NSA, even though it apparently possesses the technical ability to keep these collections separate.

    Of course it "works better for the NSA"...it means less work involved. But since when did their laziness start trumping the Constitution?

    The NSA has the most super computers in the world, yet can't figure out how to effectively implement a filter? If that's truly the case, then they could start by lightening their dataset to filter from by not trying to collect every bit of information on the planet.

    reply to this | link to this | view in chronology ]

  • icon
    David (profile), 16 Jun 2017 @ 3:02pm

    They could ask Google

    Google searches the entire blasted web. And often. And in extensive detail.

    Surely someone in that vast storage house of business/personal data can run 'grep'. Well, able to do so and convey such knowledge to those with their head in the sand.

    NSA: No Sand Anywhere.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.