NSA Surveillance Compliance Reports Show Typos, Lack Of Communication Resulting In Erroneous Targeting And Collection

from the good-numbers-overall,-though dept

The Director of National Intelligence's office (ODNI) has just released three Section 702 compliance reports covering December 2012 - May 2014. Considering the six-month lag time between the period covered and the reports' release, this is very likely as up to date as it can be at this point.

The ODNI is (almost) justifiably proud of its awkward embrace of government openness.

Consistent with the transparency principles, ODNI coordinated an extensive interagency review process to ensure the greatest transparency while protecting national security information, in order to enhance public understanding of the government’s implementation of Section 702.

Bravo and all that, but that doesn't really explain why we're still missing a handful of older transparency reports. This release covers reports 10, 11, and 12. Reports 1-3 are also available at the ODNI's Tumblr, but the list is still missing reports 4-8.

These aren't really oversight documents, per se -- at least not in terms of independence. They're composed by the agencies involved with the collection and retention of data gathered by the Section 702 program. They appear to be a collaboration between the DOJ and the ODNI, rather than the product of independent auditors or the involved agencies' Inspectors General.

That being said, the NSA still unfortunately erroneously obtains information it shouldn't.

As noted in the Section 707 Report, there were a total of [redacted] compliance incidents that involved noncompliance with the NSA targeting or minimization procedures and [redacted] involving noncompliance with FBI targeting and minimization procedures; for a total of [redacted] incidents involving NSA and/or FBI procedures.

Thanks to the redaction, it's difficult to say how often happen compliance incidents happen, but letter spacing suggests it might be as high as three digits' worth. Overall, it's only a small percentage of the total haul: 0.32%. More than half of the incidents involved tasking or detasking of "facilities" (which may be nothing more than an email address, as the NSA has argued that a "facility" can be anything that "facilitates" communications).

Tasking problems mostly arise from that all-too-common human error: typos.

Over the time periods covered in the above chart, the tasking and detasking incident compliance rate has varied by fractions of a percentage point as compared to the average size of the collection. Tasking errors cover a variety of incidents, ranging from the tasking of an account that the Government should have known was used by a United States person or an individual located in the United States to typographical errors in the initial tasking of the account that affect no United States persons or persons located in the United States.

Detasking, however, doesn't seem to be as prone to keyboard fumbling.

On the other hand, detasking errors more often involve a facility used by a United States person or an individual located in the United States, who may or may not have been the targeted user.

It would seem that being unable to determine whether a target is or isn't a target would result in more errors. And perhaps it does, but either way, the number of errors compared to the total number of targeted facilities is little more than a rounding error. Information provided earlier in the report suggests most detasking issues arise from a lack of communications between agencies. (The FBI and CIA both contribute -- and partake of -- the NSA's 702 collections.)

The report also reminds us how integral the FBI is to the NSA's bulk collection programs and how reliant the NSA is on a mainly-domestic agency to justify its overseas data hauls.

FBI fulfills three separate roles in the implementation of Section 702. First, FBI is authorized under the certifications to acquire foreign intelligence information [redacted] from electronic communication service providers, by targeting facilities that NSA designates for such acquisition (hereinafter “Designated Accounts”). [Redacted] must be conducted pursuant to FBI’s targeting procedures. Second, FBI conveys [redacted] from the electronic communications service providers [redacted] for processing in accordance with the agencies’ FISC-approved minimization procedures. Similarly, FBI also provides [redacted]. Third, FBI may receive [redacted] unminimized Section 702-acquired communications. Such communications must be minimized pursuant to FBI’s Section 702 minimization procedures. Like CIA, FBI has a process for nominating to NSA new facilities to be targeted pursuant to Section 702. During this reporting period, FBI continued to expand this nominating process to its FBI field offices.

So, the FBI not only obtains FISA orders in its name (with the NSA actually taking possession of the collection upon receipt [so to speak…], but it also can tell the NSA what to look for when it sends the FBI back to the FISA court to obtain another order.

The report also points out that incorrect searches don't always contain typos. Sometimes they contain search terms that can significantly broaden the search results.

For example, an overbroad query can be caused when an analyst mistakenly inserts an “or” instead of an “and” in constructing a Boolean query, and thereby potentially received overbroad results as a result of the query.

And, although the number of tasking issues remains low, a large percentage of those are the result of agencies moving ahead without a sufficient amount of suspicion.

In the current reporting period, approximately 20% of the compliance incidents involve initial targeting decisions based upon insufficient information to support a determination that a target was a non-United States person reasonably believed to be located outside the United States. Many of these incidents involve process issues in which the error was a failure to consider the totality of relevant circumstances…

But, on the other hand, it was rarely US persons being inadvertently targeted, so no harm, no foul.

[I]n the vast majority, but not all, of the cases, there is no indication that the individual targeted actually was in the United States or a United States person.

As is to be expected from reports like these, lots of potentially interesting stuff has been redacted completely and anything pertaining to the total number of errors has been excised. Still, after years of never showing its work to the general public, the ODNI's release of these reports in a somewhat timely manner suggests the ODNI is at least trying to make small talk with transparency, if not completely ready to engage in a full embrace.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: compliance, mass surveillance, nsa, odni, section 702, surveillance