FISA

The November NSA Trove IV: The Internet Metadata Collection Story Develops

By Sean Mirski, Lauren Bateman
Thursday, November 21, 2013, 1:30 PM

Your latest dispatch from the November NSA Trove: a trio of judicial opinions on internet metadata acquired, in bulk, by means of pen register and trap-and-trace ("PR/TT") devices.  (Recall that, in 2004, the FISC initially approved this, in an opinion by Judge Colleen Kollar-Kotelly.)

The  rulings are apparently divided by considerable time, with the first two being handed down perhaps in 2009, seemingly, and the third perhaps as much as year afterwards.  (Extensive redactions make it harder to know what happened when.)  The gap suggests that there’s a good bit more to the PR/TT story to be assembled; still, there's a lot to glean from the three opinions.

Judge Walton's Opinion and Supplemental Opinion 

First up is an order from FISC Judge Reggie Walton, possibly issued on or about June 22, 2009 (“Order”).  (The month, day, and year of the Order’s signature is, in fact, redacted from the document itself; however, the declassified .pdf’s file name, apparently selected by the Director of National Intelligence, reflects the June 22 date.)  The gist of the Order is to recount and respond to some recent back-and-forth between the FISC and the government regarding compliance failures.

Judge Walton opens with some background.  In a prior ruling, he had expressed concerns about the internal dissemination of PR/TT-collected internet metadata within the NSA, as well as about inaccurate information provided by the government regarding the number of reports generated from such metadata. Walton's earlier ruling had inquired as to these issues; the government responded, among other things, by asking “the Court to allow NSA to continue to share the results of authorized queries of the PR/TT metadata with analysts other than the limited number who are permitted to perform queries.” The government also clarified the number of reports.

But that was not the end of the matter.  As the Court notes in the Order, “[u]nfortunately, the government’s responses . . . also raise two additional compliance issues.” First, the government disclosed “that NSA has generally failed to adhere to the special dissemination restrictions originally proposed by the government, repeatedly relied upon by the Court in authorizing the collection of the PR/TT metadata, and incorporated into the Court’s orders . . . as binding on NSA.” Specifically, the government was obligated to “treat information derived from queries of the metadata in accordance with United States Signals Intelligence Directive 18 (USSID 18).” However, “NSA likely has disseminated U.S. person information derived from the PR/TT metadata outside NSA without a prior determination by the NSA official designated in the Court’s orders that the information is related to counterterrorism information and is necessary to understand the counterterrorism information or to assess its importance.” As far as the second compliance issue, the government also disseminated U.S. person information derived from queries of PR/TT metadata—in violation of USSID 18—by uploading the results into “a database to which other intelligence agencies . . . had access.”

The Court stressed that it was not principally concerned because NSA had shared “authorized queries of the PR/TT metadata with analysts other than the limited number authorized to access the metadata,” but rather, because “NSA analysts, cleared and otherwise, have generally not adhered to the dissemination restrictions” (emphasis in the original). Accordingly, the Court’s order allows NSA to “share the results of authorized queries of the PR/TT metadata with NSA analysts other than the limited number of analysts who are authorized to access the metadata, provided, however, that any NSA analyst receiving such query results in any form has first received appropriate and adequate training and guidance” (emphasis in the original). The Court also ordered the government to report to the Court every instance in which the NSA shared information from either “the PR/TT or BR metadata collections with anyone outside NSA.” Finally, in certain cases, the government must include in the reports “a full explanation of why the government has permitted the dissemination . . . without regard to whether such dissemination complied with the clear and acknowledged requirements for sharing U.S. person information derived from the metadata collected pursuant to the Court’s orders.”

Appended to Walton’s Order is a second ruling, a supplemental order (“Supplemental Order”)---the date for which is also redacted (but presumably falls somewhere in the neighborhood of the June 22 date described by the file path). The FISC’s subject is, once more, PR/TT metadata handling procedures.

In the Supplemental Order, the Court deals with the government’s “practices with regard to the creation and use of defeat lists for . . . selectors,” which had “deviated, at least in part, from the procedures governing the handling of PR/TT metadata.” The Court emphasizes that “the procedures at issue were devised by the government and incorporated into the Court’s orders as binding upon the NSA at the government’s suggestion,” and that the Court would likely have found different practices—like the ones now proposed by the government—“reasonable.” “In any event, the Court finds that the continuation of the defeat list practices is reasonable and appropriate”; the NSA may “[c]ontinue to use the existing ‘master defeat list’ for metadata reduction and management in its . . . contact-chaining repositories”; “[a]dd to the ‘master defeat list’ . . . identifiers discovered by NSA technical personnel through chain summary building and management processes”; and “[a]dd to the ‘master defeat list’ . . . identifiers discovered by NSA analysts reviewing the results of authorized queries of the PR/TT metadata.

Judge Bates' Opinion

Now, a pause---one lasting until approximately July 2010, according to Marcy Wheeler.

That was when the FISC issued this 117-page opinion, in which Judge John D. Bates considers whether to allow the government to continue and expand pen register/trap and trace (PR/TT) authorization for NSA to acquire metadata on internet communications. The government also sought to use information previously obtained by NSA under PR/TT orders, "regardless of whether the information was authorized to be acquired . . . or exceeded the scope of previously authorized acquisition."

Judge Bates grants the application in part and denies in part, authorizing PR/TT collection but subjecting use of the information to strict privacy-protecting minimization procedures and prohibiting the government from accessing data previously accumulated through unauthorized electronic surveillance.
The opinion begins by describing FISC Judge Colleen Kollar-Kotelly's initial authorization of bulk internet metadata collection under the pen register/trap and trace provision of FISA, 50 U.S.C. 1842.
The series of FISC orders that followed the initial authorization, according to Judge Bates, all shared certain "constants": first, each order limited the acquisition to certain (redacted) categories of metadata; second, analysts were required to limit queries based on reasonable articulable suspicion (RAS) that the internet account was associated with a targeted terrorist organization; and third, NSA was limited in the manner in which it could disseminate the information---a designated NSA official must have certified that the information was related to counterterrorism. In the application that Judge Bates reviewed for this opinion, the government mostly relied on this framework, but also sought "to expand authorization in ways that test the limits of what the applicable FISA provisions will bear."
Next, to give context for his decision, Judge Bates catalogues a series of ways in which NSA had failed to comply with past PR/TT orders:
  • The first failure was caused by a failure of NSA officials who understood in detail the requirements of the Kotar-Kotelly opinion to communicate those requirements to those individuals responsible for implementation.
  • The second failure the government attributed to a typographical error, which would have "effectively approved two months of unauthorized collection." In the wake of the error, FISC approved a prospective collection, but required that NSA remove from its systems data collected under the erroneous order.
  • The third failure stemmed from a series of compliance problems: NSA had accessed metadata using a form of automated querying not based on the RAS standard; NSA analysts who were not authorized to receive the information had nevertheless received unminimized results; and there had been some general problems with continuous and systemic overcollection.
Noting that authorization for PR/TT surveillance had since expired, the opinion then turns to the questions before the court: (1) whether the government's proposed collection involves the use of a pen register device within the meaning of the statute, (2) whether the government has statutory authorization to collect the data, and (3) whether the government may permissibly use all previously-collected data, including the data accumulated in the unauthorized collections.
In sum, Judge Bates holds that (1) the proposed collection, for the most part, does involve the use of pen register/trap and trace devices under the meaning of the statute, (2) the application satisfies the applicable statutory requirements, (3) the government's proposals to retain, use, and disseminate the pen register/trap and trace metadata, subject to some modifications, fit within the statutory framework, and (4) that the government may access and use data from previously-conducted authorized surveillance, but may not access the data from previously-conducted unauthorized surveillance.
Taking each holding in turn:

The Proposed Collection Involves the Installation and Use of PR/TT Devices

Because the government's application sought to "expand considerably the types of information authorized for acquisition," Judge Bates turns first to the authorizing statute to determine whether the data at issue is the type of data that Congress had envisioned for PR/TT collection.

18 U.S.C. §§ 3127(3)-(4)  defines the terms "pen register" and "trap and trace device" to include devices which record "dialing, routing, addressing, or signaling" (DRAS) information, but do not record the contents of a communication. This is a fraught distinction: Judge Bates explains that it is clear in person-to-person email communication that "contents" include the text of the message, attachments, and the subject line, but what constitutes "contents" is a much more complicated inquiry in the context of online interactions between a user and a provider of web services.

The government had hoped to frame DRAS and "contents" as mutually exclusive categories of information; by forcing an either/or determination, the approved-for-surveillance DRAS category would presumably expand, and the prohibited-from-surveillance "contents" category would contract. But Judge Bates rejects that construction, and instead formulates a two-part test for PR/TT collection: "(1) is it DRAS information?; and (2) is it contents?"

The application of the test to the categories of metadata sought for acquisition---a lengthy exercise in what Judge Bates describes as "difficult line-drawing"---is almost completely redacted. But two things are clear: first, that he approves "most, but not all of the proposed collection," and second, that Judge Bates interprets the PR/TT statute as follows:

PR/TT devices may not obtain any information concerning the substance, purport, or meaning of any communication, including those between account users and providers, and that communications actions that divulge any such information would be impermissible 'contents' for purposes of a PR/TT authorization. (emphasis in original)

The Application Satisfies the Applicable Statutory Requirements

In its application, the government sought authority to acquire a greater volume of metadata while simultaneously "modifying---and in some ways relaxing---the rules governing the handling of metadata." NSA projected that the metadata collected during the period of the requested order "compared with the norm under prior orders . . . [would constitute] roughly an 11- to 24- fold increase in volume."

A combination of factors gave Judge Bates serious pause: "The government's poor track record with bulk [pen register/trap and trace] acquisition . . . presents threshold concerns about whether implementation will conform with, or exceed, what the government represents and the Court may approve." Nevertheless, Judge Bates finds, "after reviewing the government's submission and engaging in thorough discussions with knowledgable representatives," that he now has a full and accurate description of bulk PR/TT acquisition. He thus approves the government's proposed modifications only insofar as they do not erode privacy protections for U.S. persons.

It appears that the most controversial component of the government's application was whether wholly non-targeted bulk production of metadata could ever satisfy FISA's requirement that information collected be "relevant to ongoing investigations to protect against international terrorism." Judge Bates concludes that the relevancy requirement is satisfied because---and here Judge Bates quotes NSA Director Keith Alexander---it "will substantially increase NSA's ability to detect and identify the [terrorist-affiliated] Foreign Powers and those individuals affiliated with them." Because it is impossible to determine what information will be relevant in advance, and because internet information is ephemeral, the court concludes that bulk metadata acquisition---subject, of course, only to queries which meet the RAS requirement---is sufficiently relevant to terrorism-related investigations to satisfy the statute.

The Court Approves, Subject to Modifications, Restrictions and Procedures Proposed by the Government

Judge Bates notes that unlike other provisions of FISA, the pen register provisions do not contain required minimization procedures. But the government's application---as the government itself acknowledged---was so sweeping and non-targeted that some restrictions on retention, use, and dissemination of the information obtained through PR/TT were necessary to protect the privacy of U.S. persons.

Searching for a statutory basis upon which to adjudicate the government's application, Judge Bates compares the government's proposed minimization procedures with requirements found in 50 U.S.C. §1801(h)---the procedures meant to protect the privacy interests of U.S. persons with regard to the contents of communications. Note that Judge Bates is holding the government to a very high standard here; in the absence of statutory mandate for any minimization procedures at all, he imposes the minimization procedures Congress found to be sufficient to protect U.S. persons' privacy with regard to content.

By and large, Judge Bates finds that the procedures proposed by the government met these stringent requirements. The court allows some expansions of the authority that Judge Bates sees as essentially "not material," including adding two high-ranking NSA officials to the list of individuals suited to identify whether queries have a "counterterrorism purpose," as well as expanding the metadata retention period from four-and-one-half years to five-years. But the court denies others; specifically, it declines to accept the government's invitation to "review and pre-approve individual disseminations of information based upon the Court's own assessments of foreign intelligence value."

As for oversight and reporting, the court includes two orders: (1) NSA's Office of the General Counsel and Office of the Director of Compliance must ensure that all NSA personnel who receive PR/TT query results receive appropriate training for the handling and dissemination of such information, and (2) NSA must submit a report every 30 days describing instances in which "NSA has shared, in any form, information obtained from the PR/TT metadata with anyone outside the NSA" and must certify that such disseminations were related to a counterterrorism mission.

The Government May Access and Use Data from Previous Authorized Collections, but May Not Access Data from Unauthorized Collections

Judge Bates concludes that the FISC "possesses authority to permit the government to query data collected within the scope of the Court's prior orders," but that it lacks authority to approve querying data that was collected in an unauthorized manner. The court reasons that that data collection constituted unauthorized electronic surveillance, and that the government officials responsible for making disclosures mostly knew that it was unauthorized. So the FISA itself prohibits---and indeed criminalizes in 50 U.S.C. § 1809(a)(2)---the use of erroneously accumulated surveillance.

There is one category of unauthorized electronic surveillance not subject to the criminal prohibition: if the relevant government officials did not know, and had no reason to know, that the information was collected in contravention of law, then no provision of law precludes the court from authorizing the government to access and use such information. "The bigger question here," Judge Bates wrote, "is whether the Court should grant such authority."

The court cautions that "[g]iven NSA's longstanding and pervasive violations of the prior orders in this matter, the Court would be acting well within its discretion in precluding the government from accessing such information." But given that government officials at the DOJ and NSA have asserted a "strong national security interest" in accessing the information---and that the court has no basis for questioning that interest---Judge Bates concludes that the "Court is prepared---albeit reluctantly---to grant the government's request with respect to information that is not subject to Section 1809(a)(2)'s prohibition."