Confirmed: NSA Does Search Section 702 Data for Particular US Person Data

Update: To help Joshua Foust understand this topic, I did a second, really basic version of this post here. So if you’re fairly new to all this stuff, you might start there and then come back.

Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:

With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”

He then cites two letters from James Clapper’s office which I don’t believe have been published.

I’ve seen some people complaining that Ron Wyden and Mark Udall didn’t explicitly describe what Keith Alexander’s lies were in the NSA handout on Section 702 collection (note, as of 1PM, NSA has taken down their handout from their server). I’m okay with them leaving big breadcrumbs instead, not least because until we fix intelligence oversight, we’re going to need people like them who manage to stay on the committees but lay these signposts.

That said, I think people are underestimating how big of a signpost they did leave. Consider this, from their letter:

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. [my emphasis]

Last year’s SSCI report on extending the FISA Amendments Act strongly implied that the government interpreted the law to mean it could search for records of particular Americans.

During the Committee’s consideration of this legislation, several Senators expressed a desire to quantify the extent of incidental collection under Section 702. I share this desire. However, the Committee has been repeatedly advised by the ODNI that due to the nature of the collection and the limits of the technology involved, it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under Section 702 authority. Senators Ron Wyden and Mark Udall have requested a review by the Inspector General of the NSA and the Inspector General of the Intelligence Community to determine whether it is feasible to estimate this number. The Inspectors General are conducting that review now, thus making an amendment on this subject unnecessary.

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. [my emphasis]

This passage made it clear that the Intelligence Community had demanded the ability to search on US person data already collected. Wyden and Udall’s letter makes that even more clear.

And the minimization procedures leaked last week support this (though note, these date to 2009 and might have been ruled to violate the Fourth Amendment since, though I suspect they haven’t).

They make it clear that US person communications will be retained if they contain foreign intelligence information (a term not defined in the procedures), including those they collected because (they claim) they’re unable to filter it out.

3(b)

(1) Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroyed inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information)

[snip]

The communications that may be retained include electronic communications acquired because of limitations on NSA’s ability to filter communications.

(2) Communications of or concerning United States persons that may be related to the authorized purpose of the acquisition may be forwarded to analytic personnel responsible for producing intelligence information from the collected data.

The procedures make it clear that, with authorization from the NSA Director, even communications entirely between US persons may be retained (see section 5) if they are of significant intelligence value. Communications showing a communications security vulnerability may also be retained (this permission, related to cybersecurity, was not made public in the NSA handout).

And here’s perhaps the most interesting way of keeping US person data.

6(c)

(1) NSA may provide to the Central Intelligence Agency (CIA) unminimized communications acquired pursuant to section 702 of the Act. CIA will identify to NSA targets for which NSA may provide unminimized communications to CIA. CIA will process any such unminimized communications received from NSA in accordance with CIA minimization procedures …

(2) NSA may provide to the FBI unminimized communications acquired pursuant to section 702 of the Act. FBI will identify to NSA targets for which NSA may provide unminimized communications to the FBI. FBI will process any such unminimized communications received from NSA in accordance with FBI minimization procedures …

This is a kind of collection that Pat Leahy seems to believe escapes review by current Inspector General reviews of the program, as he tried to mandate such reviews in last year’s reauthorization.

The minimization procedures also appear to support Julian Sanchez’ guesstimate of how they could pull up US person contacts, since a phone number or unique name are not explicitly included among the identifiers that would constitute IDing a US person.

Now, all that doesn’t specifically address the other lie Wyden and Udall invoked, which they describe “portrays protections for Americans’ privacy as being significantly stronger than they actually are.” But I think the points I’ve laid out above — particularly the cybersecurity collection that is entirely unmentioned in the 702 sheet — probably lays out the gist of Alexander’s lies.

The government has spent the entire time since these documents were revealed trying to lie to Americans about whether their contacts with foreigners can be retained and read. And those lies keep getting exposed.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

18 replies
  1. Hmmm says:

    I seem to remember most or all of the assurances since Snowden were limited to statements that the NSA specifically wasn’t listening to calls or reading emails. Not that nobody in FBI, CIA, or for that matter other departments of government or industry weren’t. Interviewers of high ranking officials have all seem deeply unprepared to apprehend that point and press it to a clear answer.

  2. Garrett says:

    Thanks for the link to the memory unhole for the NSA undocument with the unprocedures for the U.S. unpersons.

  3. JohnT says:

    How many thousands of words did we (mostly Marcy) type a few years ago saying this was exactly what they were going to do?

  4. Chetnolian says:

    Based upon what we are hearing this side of the Pond on what undercover cops were doing years ago to people whose only sin was to doubt the total goodness of all things governmental you can be sure of one thing. If they’ve got it they’ll read it and use it how they like, whatever these pesky lawyers and constitutional experts carp on about.

  5. C says:

    @JohnT: Sadly they’ve been doing that here for a while. For anyone who doubts the FBI’s willingness to make work for themselves I suggest a review of the Eric McDavid case still the highest profile bust of an “Eco Terrorist” in the U.S.:

    https://en.wikipedia.org/wiki/Eric_McDavid

    The takeway notes from the article are:

    “Anna” had been working with the FBI to infiltrate the group since 2004. She encouraged their activities and provided them with bomb-making information, money to buy the raw materials, transportation and a cabin to work in, and produced consensual audio and video recordings of their activities.[6] According to “Anna”, McDavid threatened to kill her if she turned out to be working with law enforcement.[6][11]

    Defense attorney Mark Reichel argued that “Anna” acted as an agent provocateur: encouraging the group to focus on a target, paying for meeting arrangements and supplies, and urging the group to act when they wavered. Reichel stated at the trial, “the crisp $100 bills and a Dutch Flat cabin where the group lived in the days leading up to the trio’s arrest–all supplied by “Anna” thanks to her FBI sponsors…That’s the creation of a case…Without ‘Anna,’ you have nothing.”[12]

    In fact according to other articles “Anna” didn’t just supply them with weapons she also tried to teach them how to make them, and failed and repeatedly pushed the group to do damage even as they, vegans, were unwilling to do anything that would harm animals.

    At trial “Anna” was not produced supposedly because revealing her identity would subject her to death threats. Then she did an interview with Elle magazine:
    http://www.greenisthenewred.com/blog/elle_anna/421/
    Apparently the shoe buyers are safe.

  6. Snoopdido says:

    The title of this Emptywheel post is interesting more than for just the contents of this post. From an Eli Lake piece today (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html):

    “For now, Greenwald said he is taking extra precautions against the prospect that he is a target of U.S. surveillance. He said he began using encrypted email when he began communicating with Snowden in February after Snowden sent him a YouTube video walking him through the procedure to encrypt his email.

    “When I was in Hong Kong, I spoke to my partner in Rio via Skype and told him I would send an electronic encrypted copy of the documents,” Greenwald said. “I did not end up doing it. Two days later his laptop was stolen from our house and nothing else was taken. Nothing like that has happened before. I am not saying it’s connected to this, but obviously the possibility exists.”

    When asked if Greenwald believed his computer was being monitored by the U.S. government. “I would be shocked if the U.S. government were not trying to access the information on my computer. I carry my computers and data with me everywhere I go.”

    I’d say that Emptywheel’s confirmation is confirmed again.

  7. Wondering says:

    Would it count as “foreign” contacts if all a person’s attempts to seek help for computer harassment end up in the same Filipino or Mexican or Indian (subcontinent) outsourced “help” desks, by institutional or state-level fiat? Would a person look “foreign” if their goofy nickname was also a common Saudi surname by some coincidence? Really, I am asking.

  8. Snoopdido says:

    @P J Evans: As the Department of Justice doesn’t believe and accord bloggers journalist status, it would seem highly likely that Glenn Greenwald is on their hit list.

  9. greengiant says:

    Maybe someone can make a table of what the IC is doing along with potential justifications. Retain refers to storing it in the mother of all databases.

    1. Retain wireless pen registers – ( people don’t own wireless pen registers, the cell provider does, thus the “business” FISA request? anyway a wireless pen register is not a pen register )
    2. Retain email sender/receiver – ( No right to privacy there, someone besides the sender/receiver sees this in many places )
    3. Retain wireless GPS locations – ( cell tower providers own this )
    4. Retain email contents – ( Again, sender receiver don’t “own” the contents of their email since anywhere they reach on the web they can be copied, (maybe copyright notices would be a problem for the naive) )
    5. Retain all twitters – ( Done, Library of Congress sucked those down)
    6. Retain all google etc search engine searches ( Done )
    7. Retain all web page hits – ( Done, browsers doing that and selling the info )
    8. Retain OS used, ISP address, browser used, location – ( Done any ole web link you hit can ask that info and get it )
    9. Retain all social media/facebook posts,likes,friends,messages. ( Done)
    10. Retain all IM, immediate messaging, sender,receiver,contents ( Done, see anything transferred on the net is fair game ) Note there are
    a number of slightly obscure IM methods available.
    11. Retain all voice over internet protocol, sender,receivers,contents ( Done, see anything transferred, and for example Skype )
    12. Retain all cell phone audio, ( done, see retain all voice over internet protocol ).
    13. Retain all audio in presence of cell phone with battery in phone,
    ( slightly more speculative, but whistleblowers and observers say it has been done to some extent )
    14. Retain all audio in presence of laptops, notebooks etc. even if powered off ( slightly more speculative, but again whistleblowers and observers say it has been done to some extent )
    15. Proactively convince the unknowing to be in the presence of, as in drive a car or carry a device that records all audio.
    16. Etc,etc, etc.

    Probably some logic about when using anything “licensed” then the licensee has no right to privacy.

    More logic about anything done by software/hardware to the retained data has no restrictions. If Apple can have stateless corporations for tax purposes, since when did a computer commit a crime or follow the law? At best until some very small subset of the raw data is actually viewed/heard by a US government employee, anything goes. Contractors don’t count, they are cut outs.

    Stealing Greenwald’s partner’s computer from “their” house was a nice touch. ( assuming this is correct )

  10. C says:

    @emptywheel: I think we have to rethink our use of the word ‘targeted.’ Generally the word has a notion of precision e.g. “William Tell’s arrow was well targeted.” But targeting is just about what you are after not about the spread. I can easily target someone in a crowd with an arrow, sniper rifle, or hand-grenade. All three are “narrowly targeted” its just what happens to the other people. Perhaps a better analogy however is the constant guarantee that the predator missiles fired from drones are “targeted.” We have been assured this means precision although as any wedding party planner in the Tora-Bora region will attest that isn’t the case.

    I bring this up because the conjunctive nature of the NSA’s requests is essentially guaranteed to pick up random people and thus there is no way for them to do it without having the whole haystack and no way to go anywhere without “targeting” with a net that is very very broad.

    I think this is why they keep falling back to the “terror Terror TERRER” defense because they know minimization is no good.

Comments are closed.