The Abuses That Nearly Led To The Bulk Metadata Program Being Shut Down Aren't Considered 'Abuses' By The NSA

from the rules-are-for-the-nobodies dept

The set of minimization rules the NSA was supposed to apply to its bulk records collections was issued in 2006. As was noted here earlier, the FISA court laid down a number of limitations and restrictions in this document -- which the agency nearly immediately began violating.



The rules applying to bulk record searches is dated May 24, 2006. A footnote in Judge Walton's furious court order detailing the numerous violations indicates that the NSA began including domestic non-RAS (reasonable and articulable suspicion) numbers on its Alert List shortly thereafter. An NSA report to the FISC dated August 18, 2006 made this statement:

[R]ather than conducting daily queries of the RAS-approved foreign telephone identifier that originally contacted the domestic number, the domestic numbers were included in the alert list as, "merely a quicker and more efficient way of achieving the same result…"

Indeed, to the extent that the NSA makes the decision about where to store the incoming BR [bulk records] data and when archiving occurs, such an illogical interpretation of the Court's Orders renders compliance with the RAS requirement merely optional.

The NSA also suggests that the NSA OGC's [Office of General Counsel] approval of procedures allowing the use of non-RAS-approved identifiers on the alert list to query BR metadata not yet in the NSA's "archive" was not surprising, since the procedures were similar to those used in connection with other NSA SIGINT collection activities.

Finally, the NSA reports that "from a technical standpoint, there was no single person who had a complete technical understanding of the BR FISA system architecture."

Despite this training, however, the NSA subsequently determined that 31 NSA analysts had queried the BR metadata during a five day period in April 2008 "without being aware they were doing so."



…[F]rom May 2006 until February 18, 2009, the NSA continues to uncover examples of systemic noncompliance.

It has finally come to light that the FISC's authorizations of this vast collection program have been premised on a flawed depiction of how the NSA uses BR metadata. This misperception… existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government's submissions, despite a government-devised and Court-mandated oversight regime.



The minimization procedures… have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively.



[Nearly all of the call detail records collected pertain to communications of non-US persons who are not the subject of an FBI investigation… [or] are communications of US persons who are not the subject of an FBI investigation… and are data that otherwise could not be legally captured in bulk by the government.

[T]he Court must rely heavily on the government to monitor this program to ensure that it continues to be justified… and that it is implemented in a manner that protects the privacy interests of US persons as required by applicable minimization procedures. To approve such a program, the Court must have every confidence that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court's orders.



The Court no longer has such confidence.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

While the end point may seem indistinguishable, the methods aren't and the NSA was forbidden from running searches using non-RAS domestic numbers. This points to the general tendency of the NSA and FBI to opt for the fastest route , rather than the constitutional route.The Alert List utilized by the NSA contained a sizable number of domestic identifiers. At one point, this list of identifiers grew to nearly 30,000 numbers. Factor in the NSA's two/three-hop (depending on who you ask… and when) contact chaining, and an Alert List search could easily net the entire set of domestic numbers grabbed by the bulk records requisition The agency's defense of its abuse boiled down to two arguments, neither of which impressed Judge Walton.The first claim was that the non-compliance "resulted from a belief by some personnel within the NSA that… [the] Court's restrictions… applied only to "archived data." Walton shot back that this claim "strained credulity," adding that he found it hard to imagine why the court would allow the "critical" RAS requirement to hinge on whether the data had been archived or not. He nailed the lid shut on the argument with this sentence.The NSA buttressed its first claim with a second one that blamed its immediate oversight, rather than the less-specific "some personnel."Walton tore that argument down as well, stating the lack of compliance wasn't simply a "terminological misunderstanding," but a willing decision by the agency to treatcollections uniformly despite there being specific, court-ordered procedures in place to handle incoming BR data.Further compounding the abuses of the BR data was the NSA's obfuscation of the alert process it (mis)used to search incoming collections. Walton notes that the agency "repeatedly submitted inaccurate descriptions of the alert process." The NSA, in turn, blamed these misrepresentations on a failure by "those familiar with the program" to correct inaccuracies in a report prepared by the managing attorney of the NSA's Office of the General Counsel.Walton responded to this by pointing out two reasons why the NSA should simply be accused of lying. One, the general counsel who prepared the draft asked for recipients to "make sure" everything contained in the report was true before he sent it to the court. Secondly, Walton footnotes a transcription of proceedings before FISC judge Malcolm Howard where a redacted representative of the NSA affirms that the report is "true and accurate to the best of his knowledge or belief."The last excuse given by the NSA for its abuse of the BR metadata is perhaps the most damning.This is astounding. The NSA openly admits it had no one qualified to deal with tons of metadata, much of which included details on American citizens, and yet it continued to operate the program, expand its Alert List and forge ahead using its own set of rules. At no time did it attempt to seek clarification from the court and at no time did it rein in its collection or querying efforts out of concern it might be violating the privacy of American citizens.Instead, it did the opposite. It sought permission from the court to expand the number of analysts authorized to access the BR data. And "mistakes" continued to be made. The NSA ensured the court in it would be training the new analysts, but reports continued to filter back detailing more failures.The uncomfortable truth of the matter is that the FISC judges have to rely on the NSA's narrative of how the programs are being used in order to determine whether requests can be approved. The NSA had a very nice setup, but it couldn't even keep that together. Three years of abuses almost led to the entire bulk records program being shut down by Judge Walton. He wraps up his court order with several damning paragraphs that call out the agency for its extended malfeasance.After running down the abuses, Walton again points out how the NSA's actions have effectively turned every layer of "oversight" into a joke.Five years later, however, the program continues. Walton's order severely limited the NSA until it got a handle on the bulk records program. Walton allowed the collections to continue but forced the NSA to run search requests through the FISC on a "case-by-case" basis.But were these cases "abuse?" The NSA's stance has been (up until recently) that no abuse has occurred. Some NSA officials probably still believe that nothing that happened between 2006 and 2009 constitutes "abuse," at least not according to any definition it uses.As the leaks began to filter out into the media, the NSA's defenders have stressed repeatedly that the agency hasabused the rights of Americans, or carried out illegal programs. When evidence surfaced that thousands of incidents of abuse occurred, it turned supporters and insiders like Sen. Feinstein ("......") and NSA Director of Compliance John Delong ("") into liars, or at the very least, dispensers of half-truths.The defenders of the agency hedge in order to give thousands of apparent abuses the appearance of slight, inadvertent violations. Defending itself from accusations of abuse is about the only place the NSA seems interested in deploying any form of minimization. Feinstein hedges by stating the "committee" has never identified abusive instances (which have to be "intentional" -- an apparently subjective term). Well, considering the committee's role as the premier NSA apologist, it's hardly surprising it's never "identified" any abuse. It's really not interested in looking for any.Delong hedges as well, using "willful" and "malicious" to make the NSA's convenient "misunderstanding" of the minimization guidelines (which, for a legal document, are surprisingly clear) appear to be privacy-violating errors rather than instances of abuse.But the NSAabuse its power and itviolate the privacy of Americans. Just because the analyst doesn't sit down at the desk and start searching for an ex-girlfriend's data ( oh wait... ), doesn't mean what happened for three straight years under Alexander's watch any less abusive.Operating a system you don't understand to harvest data on Americans indiscriminately is a form of abuse. Attempting to get away with treating a very specifically regulated program as indistinguishable from other NSA programssubject to strict limitations is a form of abuse. It's an abuse of the power granted by the Court. It's abuse of the rights of American citizens. But it's never considered abuse by the abusers -- who rationalize everything away as a typo or a misinterpretation or improper training or anything but what it actually is.

Filed Under: abuses, fisc, metadata, nsa, nsa surveillance, patriot act, section 215