The Latest NSA Documents: A Summary

By Benjamin Wittes, Sean Mirski, Lauren Bateman, Matt Danzer
Wednesday, October 30, 2013, 3:00 PM

The latest cache of documents released by the DNI does not contain any explosive new revelations. Unlike previous releases, it does not show big problems under either Section 215 or Section 702 that produced FISC litigations over months to resolve. They are, to put it mildly, pretty weedy.

That said, there is important information in them. They contain a bunch of correspondence with congressional overseers regarding the earlier problems, thus shedding more light on the question of how rigorously informed the administration kept Congress. Moreover, they appear to address questions that Senator Ron Wyden has addressed about the bulk collection of cell phone location data. And at one point, they even appear to describe a second metadata bulk collection program under the pen register/trap and trace statute—a matter that will certainly lead to further explication.

Here are summaries of all the new documents organized thematically.

 Oversight Matters

Most of the documents involve executive-legislative communications concerning the problems in the 215 program that arose in 2009. As we have discussed these at length with respect to earlier document releases, we will not rehash the facts here but assume a certain familiarity.

On February 25, 2009, NSA General Counsel Vito Potenza sent a letter to the staff directors of the House Permanent Select Committee on Intelligence informing the committee of the Department of Justice’s previously disclosed January 15, 2009, notice to the Foreign Intelligence Surveillance Court that the NSA failed to conform with a number of previous FISC orders. The letter summarizes information we already know: NSA improperly used two automated processes to query telephony metadata, the agency identified “some manually entered queries that were noncompliant,” and it has since “made changes to its processes to ensure” that it complies with FISC requirements. Potenza also summarizes the NSA’s response to FISC’s January 28, 2009, order in response to the reported incidents, which required a review of the way NSA queried electronic communications metadata. That review ultimately turned up another noncompliant process that the NSA has since discontinued. The letter concludes by indicating that, in addition to notifying FISC, the NSA has provided this information to “a number of senior Executive Branch officials,” including the President’s Intelligence Oversight Board, the Director of National Intelligence, the NSA’s Inspector General, and the Under Secretary of Defense for Intelligence.

The next document is a “memorandum of understanding” for NSA analysts seeking access to the business records collected under FISA. The MOU was first issued on January 8, 2007, and was subsequently revised in March 2009 in response to the previously-disclosed March 2, 2009, FISC order, which imposed stricter scrutiny by the FISC of business record queries. The resulting guidelines to analysts include requirements to:

  • Use selectors in queries only after they have been approved for such use;
  • Exercise “great care” in entry of numbers into queries;
  • Immediately report any apparent errors or anomalies in the query process;
  • Limiting queries to two “hops” from an approved selector, rather than the three hops that NSA believes is authorized, “until provided additional guidance”;
  • Have analysts pass an oral competency evaluation to ensure understanding of the proper means of accessing business records;
  • Adhere to the date ranges appropriate for querying within each of the four metadata repositories: signals intelligence, business records, pen register/trap and trace, and a fourth, unidentified database which appears to have been discontinued as of March 18, 2009; and
  • Record the findings associated with queries using approved selectors, which “will determine the breadth of additional queries.”

On May 7, 2009, NSA Deputy Associate Director La Forrest Williams sent letters to the majority and minority staff of both the House Permanent Select Committee on Intelligence and Senate Select Committee on Intelligence, updating the committees on the NSA’s “ongoing end-to-end review” of all queries made to the metadata repository since November 1, 2008, which was initiated by NSA Director Lt. Gen. Keith Alexander in February 2009. The identical letters indicate that by early May 2009, the review of NSA’s business records data practices is “wrapping up” and a final report for the committees is under review “for legal and factual accuracy, including an assessment of whether the new issues present any substantive privacy concerns or are essentially procedural issues.”

On July 2, 2009, the Chief of Operations Section of the DOJ National Security Division’s Office of Intelligence, whose identity is not disclosed, sent this cover letter to FISC Judge Reggie Walton informing him that NSA transmitted on June 30, 2009, a report (enclosed in the original, but not included in the disclosure) on the agency’s end-to-end review of its business records practices to HPSCI, SSCI, and the House and Senate Judiciary Committees. The letter further indicated that the government will formally file the report with FISC “upon completion of the government’s end-to-end system engineering and process review,” along with additional information responsive the FISC’s orders of March 2, 2009, and June 22, 2009.

In another letter, dated September 10, 2009, NSA updates the SSCI on its efforts to ameliorate the FISC’s concerns in the wake of the end-to-end review. The letter references a September 1st, 2009, FISC-requested meeting between the NSA and FISC Judges Bates, Walton, and Hogan, referring to it as an opportunity to "demonstrate NSA's dedication to compliance with the [FISC] Court's Orders," and to show how the NSA uses the business records for intelligence missions while simultaneously protecting privacy. Three days after the meeting, Judge Walton signed a renewal order for the program.

In this August 16, 2010 letter from Weich, the Department of Justice informs the chairmen of the congressional judiciary and intelligence committees—Senators Leahy and Feinstein, and Representatives Conyers and Reyes—along with the respective ranking minority members and Judge Bates that pursuant to 50 U.S.C. §1871, it is “providing the Committees with copies of remaining decisions, orders, or opinions issued by the [FISC], and pleadings, applications, or memoranda of law associated therewith, that contain significant constructions or interpretations of any provision of FISA during the five-year period ending July 10, 2008.” The Department also let these chairmen know that the materials would only be redacted to the extent necessary to protect “the identities of targets and information concerning sensitive sources and methods.”

The Program's Value

On October 21, 2009, NCTC Director Michael Leiter and the NSA's Associate Deputy Director for Counterterrorism (whose name is redacted) gave a joint statement to the House Intelligence Committee concerning the importance of Section 215.

They statement's authors contrast the pre-PATRIOT Act regime with the post-PATRIOT Act regime, attributing critical pre-9/11 intelligence failures to a legal architecture which hamstrung agency analysts:

Members will recall that, prior to the attacks of 9/11, the NSA intercepted and transcribed seven calls from hijacker Khalid al-Mihdhar to a facility associated with an al Qa’ida safehouse in Yemen. However, NSA’s access point overseas did not provide the technical data indicating where al-Mihdhar was calling from. Lacking the originating phone number, and hearing nothing in the content of those calls to suggest he was in the United States, NSA analysts concluded that al-Mihdhar was overseas. In fact, al-Mihdhar was calling from San Diego, California.

Under Section 215, by contrast, NSA can access telephony business records in bulk, meaning that the agency can "rapidly identiy individuals like al-Mihdhar who might be operational in the United States today as well as their network of contacts."

The statement then points to a specific case for which NSA telephony metadata analysis has been valuable: the investigation of Najibullah Zazi. It is one of the more detailed statements the government has issued regarding how 215 was used in the Zazi case and, therefore, worth reading as perhaps the government's best case study for positive national security impact. Working with Pakistan-based Al Qaeda affiliates, Zazi had planned to use IEDs within the United States. The FBI identified Zazi's Colorado-based phone number, and shortly thereafter NSA queried the business records metadata to ascertain Zazi's contacts. This intelligence revealed that Zazi had contacted Adis Medunjanin, a contact the report describes as "key." The portion of this section following that revelation is redacted.  

The final portion of the testimony focuses on the FISC's involvement with Section 215. It describes the March 2, 2009, FISC Order, which had restricted access to metadata except for case-by-case exigencies to protect against immediate threat to human life. In response to that order, NSA pursued a "more robust compliance regime." The September 3, 2009, FISC reauthorization of the business records program followed.

The document concludes: “9/11 taught us that applying lead information from foreign intelligence in a comprehensive and systemic fashion is required to protect the homeland. The Business Records FISA program operated under Section 215 of the USA Patriot act covers a critical seam in our defense against terrorism.”

A Second Metadata Program?

One of the most interesting documents—or three of them, to be precise—is a series of letters that Assistant Attorney General Weich wrote on December 17, 2009 in response to missives from Congressmen Bobby Scott, John Conyers, and Jerrold Nadler asking DOJ to provide additional information publicly about Section 215.

The request was essentially declined: "Because we are concerned that public disclosure would cause serious damage to national security, we cannot disclose publicly that Section 215 is used for bulk collection of telephony metadata." But the DOJ agreed to provide additional information on the programs to all Members of Congress and security-cleared staff members--not just the intelligence committees.

What makes the documents—which are identical to one another—so interesting is that they appear to reveal that another metadata program exists, or at least did exist at that time, under the pen register statute. In promising more data on the 215 program, Weich writes, “we do agree, however, that it is important that Members of Congress have access to information about this program, as well as a similar collection program conducted under the pen register/trap and trace authority of FISA, when considering reauthorization of the expiring USA PATRIOT Act provisions.” References to this program have appeared in at least one earlier document---this letter to Reyes, which we posted in July. It remains a bit opaque what exactly this program is and how it relates to the 215 metadata program.

Some Testing on Cell Location Data

Finally, the cache includes two documents related to the collection of data from mobile systems—a matter about which Senator Wyden expressed concern at a recent Senate Intelligence Committee hearing. Government witnesses at the hearing had acknowledged that they had done some testing with respect to collection of telephony geolocation data but insisted they were not routinely collecting such data in bulk. These documents appear to shed light on this activity.

An April 1, 2011 memorandum sent by an attorney in the Office General Counsel (Intelligence Law) informs someone named “Evan” about “NSA’s mobility testing effort.” Evan, it seems, had asked for details about the program, when the Department of Justice and the FISC were informed of the program, and specifically about whether there was a memorandum of law available on “cell site locations.” The attorney responds in this memorandum that the “NSA tested data from the April 26, 2010 feed” and used “four files” for the mobility testing effort, and that “[t]he results of NSA’s technical analysis remained with the provider’s technical team.” Moreover, “NSA continues to receive and analyze sample data.” The attorney also assures Evan that the NSA consulted with DOJ prior to beginning this testing effort, and was advised in February 2010 that “obtaining the data for the described testing purposes was permissible based upon the current language of the Court’s BR [Business Records] FISA order requiring the production of ‘all call detail records.’” Finally, the attorney informed Evan that while no memorandum of law currently existed, one was being drafted.

More than a year later, on September 1, 2011, Ethan Bauman, the Director of NSA’s Legislative Affairs Office, sent a notification memorandum to the staff director and minority staff director of the congressional judiciary committees. In them, Bauman informs the committees that “in addition to the telephony metadata the [NSA] has been acquiring since 2006 under its counterterrorism Business Records (BR) [FISA] program, NSA has begun to acquire and analyze telephony metadata derived from cellular network or ‘mobility’ call detail records (CDRs).” Mr. Bauman states that the metadata is produced based on a FISC order pursuant to 50 U.S.C. §1861 (Section 501). The memoranda stress the procedural safeguards on the NSA’s handling of the data, as well as the fact that the NSA extensively tested the program prior to starting to acquire the data in order “to ensure strict compliance with the terms of the FISC Orders.” Moreover, “NSA requested that . . . [the redacted name of the collector] remove the cell [redacted] location information [redacted] before providing the CDRs to NSA,” so that NSA does not receive this data. Mr. Bauman also mentions that this program began on Aug. 29, 2011.