The next items in our November NSA Trove, like those summarized in a prior post, focus on congressional oversight. The three pieces span a little more than a year, from 2009 to 2010. And all three were penned by NSA legislative officials, sent to intelligence committee staffers, and deal with (surprise) the NSA’s collection of internet and telephony metadata.
Without further ado:
First is a six-page memorandum, dated April 10, 2009 and addressed to the majority staff director of the Senate Select Committee on Intelligence. In it, the NSA updates the Committee on some already-identified compliance issues and informs congressional overseers of one new matter. Of the already-identified batch, the first item is NSA’s problematic implementation of a FISC-authorized business records (BR) order, wherein 2, 476 telephone numbers determined to be associated with terrorism were prematurely added to a special list for retention and query before undergoing formal NSA review designed to ensure that they met the reasonable articulable suspicion (RAS) standard.
Second, the memo notes NSA’s attempts to mitigate its inadvertent "overcollection" of data; third, it mentions a joint pilot program between NSA and the DIA's Joint Intelligence Task Force-Combating Terrorism (JITF-CT), under which JITF-CT had been allowed to access counterterrorism-related SIGINT information. That database was then shut down, amid compliance concerns.
Which brings us to new stuff. For the first time, the memo discloses to the Committee NSA's decision to suspend an entity’s access to an NSA system called X-KEYSCORE (XKS); the entity’s name is redacted from the memo. Ditto details about the system and the problems that led to its suspension.
Our second oversight document landed in Congress a little more than a month later. The five-page "Notification and Update" memorandum is dated June 29, 2009 and addressed from the NSA’s Legislative Affairs Office to the staff director of the House Permanent Select Committee on Intelligence. The document is in part a cover letter: it attaches (but does not include) the NSA’s so-called “End-to-End Review,” its internal evaluation of compliance problems found in Pen Register/Trap & Trace (PR/TT) and BR collection programs. For its part, the memo also outlines some of those problems, and reassures the Committee that NSA is taking steps to remediate four compliance issues which had been brought to the attention of Committee staff directors days earlier.
As to those issues, the June memo first discusses the FISC's approval of NSA's use of a master "defeat" list to purge unwanted information from several NSA data repositories. Second, it notes NSA's practice of sharing the unminimized results of queries of Pen Register/Trap & Trace (PR/TT) metadata with non-PR/TT-cleared NSA analysts and the FISC's subsequent order authorizing this sharing with only specially trained analysts.
NSA’s Legislative Affairs folks also devote two full pages to a third compliance issue: NSA shared the results of its NSA metadata analysis with the larger intelligence community, granting a total of about 200 CIA, FBI and NCTC analysts access to a database containing this information in violation of FISC orders requiring the application of court-approved minimization procedures prior to dissemination of analytic results outside of NSA. Technical details as to the nature of this access appear to have been redacted, but the memo references the FISC's "grave" concern with NSA's compliance failure specifically as it pertains to disseminating U.S. person information to the outside intelligence community, and the FISC’s subsequent demand that the government both file a report listing every instance of such dissemination and offer in its end-to-end reviews of the BR and PR/TT programs an explanation of why the government permitted this dissemination.
Finally, the document mentions NSA's use of inappropriate selectors to query the BR FISA metadata. Specifically, NSA analysts treated all correlated selectors to query the BR FISA metadata where only one of the selectors in the correlation was considered RAS-approved.
Some time passed before delivery of our third and final memo. It is addressed to the Senate Select Committee on Intelligence, and has a date of December 1, 2010. This time around, the idea is not to apprise the Committee generally on the NSA’s compliance progress; instead, the piece is structured as a response to the Committee’s questions about whether NSA can collect geolocation information under the PR/TT and the BR provisions of the FISA.
The short answer is “no,” sorta. According to the document, NSA does not acquire cell site location information pursuant to NSA's FISC-authorized bulk electronic communications metadata acquisition program, or cellular mobility data—"[w]ith the exception of a test data sampling acquired from one provider." That said, the memo seems to keep the door open: “NSA is, however, exploring the possibility of acquiring such mobility data under this program in the near future under the authority currently granted by the Court.”
It’s worth noting that the categories of electronic communications metadata that FISC has authorized NSA to collect are redacted from the memo. Left unredacted are the categories of telephony metadata collected.
Telephony metadata includes comprehensive communications routing information (e.g., originating and terminating telephone number, In ternational Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer.