from the where-'about'-means-'how-about-we-just-collect-it-all?' dept
The ODNI has released several documents in response to FOIA lawsuits (EFF, ACLU). The EFF scored 18 of these (handy zip link here) and the ACLU seven. The ACLU’s batch has proven more interesting (at least initially). One document it obtained shows a tech company challenged a Section 702 surveillance order in 2014. The challenge was shut down by the FISA court, but with the exception of Yahoo’s short-lived defiance, we haven’t seen any other evidence of ISP resistance to internet dragnet orders.
Included in the ACLU’s batch is a 2008 FISA Court transcript [PDF] that’s particularly relevant to the NSA’s voluntary shutdown of its “about” collection. In it, the NSA discusses its filtering and oversight procedures, which were already problematic nearly a decade ago.
There are some really interesting tidbits to be gleaned from the often heavily-redacted proceedings, including this statement, which makes it clear the NSA engaged in wholly-domestic surveillance prior to the FISA Amendments Act.
THE COURT: All right. Well, what about the non-U.S. person status, which of course is new under the FISA Amendments Act? Are you going to be changing anything in terms of focusing on that?
[REDACTED GOV’T RESPONDENT]: We already sort of do with respect to the U.S. person status is so intertwined with the location of the target [REDACTED] to the extent that in the past NSA.would actually affirmatively identify targeted U.S. persons to us on the sheets, because one of the additional fields that they put in the sheets is basically a blurb, an explanation and a description of the target.
Clearly, we’re not allowed to target US persons anymore, so I don’t anticipate seeing any such descriptions on the sheets. But again, since the status of the person, the determination of how that is made is so intertwined with the same information upon which NSA relies to make a foreignness determination, that it would be hard for us not to identify such information as we’re conducting the reviews.
Which, of course, means the NSA was allowed to target US persons and their communications previously, contradicting statements made by US officials, including President George W. Bush and Vice President Dick Cheney.
It’s stated earlier in the transcript that the NSA does a few things to help minimize examination of US persons’ communications. But they’re not great. The NSA runs spot checks on analysts’ transactions, deploys filters, and relies on self-reporting to guard against Fourth Amendment violations. It sounds like quite a bit, but the details show it’s not nearly enough. To start with, the filters meant to filter out US persons’ communications don’t work.
COURT: The NSA minimization procedures, you’re stating, ‘contain a provision for allowing retention of information because of limitations on NSA’s ability to filter communications.’ My question I had was is the filter discussed in targeting the same filtering. I just wanted to understand that, and apparently it is. [The rest of the court’s question is redacted.]
GOV’T: I think the inclusion of that provision in the minimization procedures was intended to be prophylactic in the event that the filters don’t necessarily work, and NSA has represented that it’s been their experience with the filters and [redacted] this provision basically captures instances where the filters may not work in every instance.
And there’s a good reason why they won’t work “in every instance.” Further unredacted discussion reveals the NSA partially relies on an IP address blacklist to filter out US persons’ communications. This is better than nothing, but still a long way from being a strong positive indicator of a target’s (or incidental target’s) location.
The court then asks about the limitations of the filters and… we get several fully-redacted pages as an answer.
The court also asks about the “about” collection — where targets are discussed but the communications do not directly involve NSA targets.The judge wants to know how often this is being used rather than the more-targeted “to/from” collection and how often it results in incidental collection. Unsurprisingly, the government can’t say how often this happens. This is because the NSA saw no reason to track these searches.
GOV’T: As far as the percentage number, we don’t have a number for that, because as I mentioned earlier, when we [redacted] we find to’s and froms and [redacted] so we don’t categorize those separately to be able to count those communications as abouts.
The court then asks why it’s not possible to limit the collection to to’s and froms. The government’s response is that collecting it all just works better for the NSA, even though it apparently possesses the technical ability to keep these collections separate.
It is technically feasible. The problem with doing so is if you end up discarding a number of communications that are truly to-froms that you should be able to collect but [redacted]…
So by trying to limit us to no abouts, then we end up cutting out those kind of communications as well, truly to-froms. So it would be — we’re not surgical enough to take that out of the equation without impacting our ability to do to-froms effectively.
And later in the discussion, there’s a bit of a bombshell about the “about” collection. The NSA shut it down because it couldn’t find a way to prevent incidental collection of US persons’ communications. In this transcript, the government points out incidental collection is just as likely with to-from targeting.
COURT: Is it more or less likely to pick up U.S.-person information in an about than a to or from?
MR. OLSEN: I don’t know the answer in practice. At least from my perspective in theory, I wouldn’t see why it would be more likely than a targeted to or from collection where the target’s outside the United States where there’s a similar possibility that that target would be in communication with someone in the United States, with a U.S. person in the United States.
If this is true, the elimination of the “about” collection doesn’t do much to curtail incidental collection. And almost a decade ago, the NSA was already making it “impossible” to comply with Congressional requests for incidental collection numbers by refusing to separate its collections, even with the FISA Court raising questions about its Fourth Amendment implications.