The NSA got a lot of criticism for releasing its IOB reports on December 23, just as everyone was preparing for vacation. But there were three reports that — at least when I accessed the interface — weren’t originally posted: Q3 and Q4 2009 and Q3 2010 — all conveniently important dates for the Internet dragnet (I’ll have more on what they didn’t disclose soon).

Apparently those reports were added on New Year’s Eve Eve Eve, an even bigger wasteland for document dumps than Christmas Eve.

In addition to details about what NSA did and didn’t reveal about the Internet and (to a lesser degree) phone dragnet, the Q3 report also claimed to rebut this June 16, 2009 Risen and Lichtblau article.

The article pretty clearly reveals the outlines of what we’ve since learned to be big privacy problems behind NSA’s programs — definitely back door searches, and probably upstream collection.

Since April, when it was disclosed that the intercepts of some private communications of Americans went beyond legal limits in late 2008 and early 2009, several Congressional committees have been investigating. Those inquiries have led to concerns in Congress about the agency’s ability to collect and read domestic e-mail messages of Americans on a widespread basis, officials said. Supporting that conclusion is the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation. [snip] A new law enacted by Congress last year gave the N.S.A. greater legal leeway to collect the private communications of Americans so long as it was done only as the incidental byproduct of investigating individuals “reasonably believed” to be overseas. But after closed-door hearings by three Congressional panels, some lawmakers are asking what the tolerable limits are for such incidental collection and whether the privacy of Americans is being adequately protected. “For the Hill, the issue is a sense of scale, about how much domestic e-mail collection is acceptable,” a former intelligence official said, speaking on condition of anonymity because N.S.A. operations are classified. “It’s a question of how many mistakes they can allow.” [snip] The N.S.A. is believed to have gone beyond legal boundaries designed to protect Americans in about 8 to 10 separate court orders issued by the Foreign Intelligence Surveillance Court, according to three intelligence officials who spoke anonymously because disclosing such information is illegal. Because each court order could single out hundreds or even thousands of phone numbers or e-mail addresses, the number of individual communications that were improperly collected could number in the millions, officials said. [snip] But even before that, the agency appears to have tolerated significant collection and examination of domestic e-mail messages without warrants, according to the former analyst, who spoke only on condition of anonymity. He said he and other analysts were trained to use a secret database, code-named Pinwale, in 2005 that archived foreign and domestic e-mail messages. He said Pinwale allowed N.S.A. analysts to read large volumes of e-mail messages to and from Americans as long as they fell within certain limits — no more than 30 percent of any database search, he recalled being told — and Americans were not explicitly singled out in the searches.

Over and over, this report clearly describes the accessing of US person data, without warrants, that has been incidentally collected. Rush Holt — then leading an oversight investigation into the NSA — even goes on the record in the article.

The report helpfully includes the rebuttal NSA sent to Congress (starting at PDF 18). The rebuttal goes like this:

The NYT story made “it seem as if NSA is broadly irresponsible in executing its mission” under EO 12333 or FISA “The opposite is true.”

NSA recently identified compliance issues but these “accusations are far afield of the compliance matters” related to the metadata dragnets and other recent violations. [The NYT had never said they were related, and there’s no evidence Risen and Lichtblau knew of them, except insofar as they also finally confirmed that the hospital confrontation pertained to the Internet dragnet in this article.]

It is difficult to know what the NYT’s anonymous sources mean. [The rebuttal makes no mention of Holt’s on the record comments, or the obvious references to back door searches.]

Maybe the reference to the examination of US person content is a reference to David Faulk but those allegations are false as the NSA IG will soon report.

A largely redacted bullet seems to admit they suck in related emails, as alleged in the article.

“The article also identifies a 30% threshold for inclusion of U.S. person information within NSA databases. There is no truth to this statement.” [Of course, that’s not what the article says, as the red text above makes clear — it talks about how much US person content a search may pull up, not how much is in the databases.]

The access of Bill Clinton’s email was in 1992 and it is used as an example in oversight training [which is what the article described — though the rebuttal makes it far more clear that this is an “about” search on what other people are saying about Clinton].

In other words, the rebuttal never actually rebutted that the NSA allows analysts to read all the incidentally collected US person content collected and — at least as early as 2008 — permitted the NSA and other agencies, especially FBI, to pull that up by identifier. The rebuttal never actual rebuts the bulk of what Risen and Lichtblau reported, which is that Congress was getting the willies about how much US person data NSA could access without warrants under these programs.

Here’s my favorite paragraph of the rebuttal.

The article goes on to suggest that NSA is not up to the challenge of protecting the privacy rights of U.S. person communications that are encountered as a result of lawful collection of foreign intelligence. To the contrary, NSA has robust minimization procedures and mechanisms in place to limit to the greatest extent the impact on privacy rights.

And yet, we’re still having this debate 5 years later. Not even PCLOB is convinced NSA’s protections (to say nothing of FBI’s) are adequate to protect the privacy of US persons.

I’m curious whether this report placated or heightened the concerns of Congress (the rebuttal is addressed to SSCI, so it’s not clear that Rush Holt ever got to see a version of it).

But it does seem clear that NSA started panicking because, in the middle of disclosing that both its dragnet programs were badly out of control, Risen and Lichtblau had revealed yet more reason for concern.