In the begrudging spirit of forced openness, the Office of the Director of National Intelligence (James "Least Untruthful" Clapper, presiding) has released its First
Annual Ever Transparency Report. So, what have our intelligence agencies been up to for the last calendar year? Well, a little of this and whole lot of that, all of it broken down into numbers that don't really provide that much transparency.
The figure that first stands out is related to the Section 702 program. As defined in intelspeak, the 702 program:
facilitates the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States, creating a new, more streamlined procedure to collect the communications of foreign terrorists.
In plain English, the Section 702 program does this
[The] collection done under Section 702 captures content of communications. This could include content in emails, instant messages, Facebook messages, web browsing history, and more.
Like other bulk surveillance programs, Section 702 supposedly targets non-US persons but frequently "incidentally" collects content from US persons and other non-targets. This data on Americans is then searchable via backdoor searches
. Much of this information is collected directly off the "Internet backbone
" as communications flow through NSA collection points. The authority it operates under is incredibly vague and almost completely without adequate oversight. This last sentence explains the following numbers.
In contrast with sections 703, 704 and pen register requests -- where the number of targets roughly corresponds with the number of orders -- the 702 program operates under one order… which nets over 89,000 targets. Note -- and this is important -- that the report only says how many "targets" are "affected." It does not
say how many other people's communications
are "incidentally" collected along the away and made open to those backdoor searches. And, rest assured, that number is likely much larger
than 89,000 -- especially since we already know that any communication "about" any target gets swept up, but that won't count towards that number. And, as discussed below, the definition of "target" can often mean something entirely different than what you think it means. This broad collection, one that harvests content rather than (supposedly harmless) metadata, is one of the NSA's favorite tools and explains its willingness to discuss alterations
to the Section 215 bulk metadata program, but not to change the 702 program at all. (Not that anything much actually happened
to the 215 program, even after all of the discussion.)
What's more interesting, though, is the long discussion about the incredibly high number of National Security Letters issued in 2013.
The FBI (along with other agencies) is issuing NSLs at the rate of 53 per day
. The ODNI's long explanation attempts to portray this huge number as most certainly not evidence of NSL abuse.
In addition to those figures, today we are reporting (1) the total number of NSLs issued for all persons, and (2) the total number of requests for information contained within those NSLs. For example, one NSL seeking subscriber information from one provider may identify three e-mail addresses, all of which are relevant to the same pending investigation and each is considered a “request.”
So, the FBI (and unnamed other agencies) must issue a new NSL (the "must" is up for discussion) for each account it wishes to collect from, whether it's an email address or some other online account. And if multiple names are used for one target, then new NSLs must be issued to claim that
information. And so on, until the government is issuing nearly 20,000 per year.
The ODNI attempts to explain how difficult it is to narrow down how many people are being targeted by NSLs.
We are reporting the annual number of requests rather than “targets” for multiple reasons. First, the FBI’s systems are configured to comply with Congressional reporting requirements, which do not require the FBI to track the number of individuals or organizations that are the subject of an NSL.
Even if the FBI systems were configured differently, it would still be difficult to identify the number of specific individuals or organizations that are the subjects of NSLs. One reason for this is that the subscriber information returned to the FBI in response to an NSL may identify, for example, one subscriber for three accounts or it may identify different subscribers for each account…
We also note that the actual number of individuals or organizations that are the subject of an NSL is different than the number of NSL requests. The FBI often issues NSLs under different legal authorities, e.g., 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709, for the same individual or organization.
All well and good, but the DOJ's transparency report (linked to by the ODNI) breaks that number down just fine. (For whatever reason, the ODNI Tumblr post links to a report for 2012. The PDF of the ODNI's report contains a link to the 2013 version. Both are embedded below.)
From the 2013 letter:
In 2013, the FBI made 14,219 NSL requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.
From the 2012 letter:
In 2012 the FBI made 15,229 NSL requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 6,223 different United States persons.
It appears the FBI has the power to narrow down the number of persons targeted by its NSLs, although something
must have happened in 2013 that made it append the following footnote to its FY2013 letter.
In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same US. person and that include different spellings of the US. person's name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same US. person would be counted as two US. persons. This statement also applies to previously reported annual US. person numbers.
The DOJ's transparency letters again point out that the FISA court is basically approving everything set in front of it. Only one order has been withdrawn in the last two years and only 74 of 3,511 orders presented for "electronic surveillance" and/or "physical searches" were modified. The Section 215 collection requests were sent back for modification more often (roughly 2/3rds of the time) but ultimately, not a single one of those requests were denied.
So, there's more transparency than we're used to, but the 702 program still remains the best kept open secret. One order accesses thousands of "targets," and the ODNI hasn't exactly been forthcoming with additional details. Another explanatory note included does, however, point out inadvertently how useless the word "target" is when deployed by the NSA.
Within the Intelligence Community, the term “target” has multiple meanings. For example, “target” could be an individual person, a group, or an organization composed of multiple individuals or a foreign power that possesses or is likely to communicate foreign intelligence information that the U.S. government is authorized to acquire by the above-referenced laws.
Section 702's "explanation" takes it even farther:
In addition to the explanation of target above, in the context of Section 702 the term “target” is generally used to refer to the act of intentionally directing intelligence collection at a particular person, a group, or organization.
It's a noun, it's a verb, it's pretty much anything the NSA wants it to be
, as Marcy Wheeler explains:
Except that it doesn’t admit that, at least in the past, sometimes target means “the switch we know lots of al Qaeda calls to use.” Meaning the term “target” is a misnomer even within the context they lay out.
There's still nothing "targeted" about the NSA's supposedly targeted collections. The collection comes first and the targeting comes later -- sometimes using pre-determined selectors and other times by splashing around in the data until something presents itself. What the NSA means by "target" is nothing more than a term deployed to gain access to massive amounts of communications and data, all under the theory that it's somehow "relevant" to its counter-terrorism work.
The new report is a step towards transparency, but it's a very calculated move that throws out a few vague numbers while withholding anything that could put them into context. In this sense, it follows the administration's idea of transparency: nothing that goes deeper than the surface.