NSA’s Training Programs Are a Mess
In addition to the way NSA claims to be operating under EO 12333 at times when it might be operating under some law passed by Congress, there’s another reason why Snowden’s question to NSA’s Office of General Counsel is worthwhile (though I doubt it’s why he asked).
NSA’s training programs — at least as released to ACLU and EFF under FOIA — are a horrible contradictory mess.
Two training programs closely related to the one he emailed in response to got released last year (though neither appears to be the training program in question): A “Core Intelligence Oversight Training” dating to sometime in 2009 or later, and this Office of General Counsel Powerpoint that is referred to as a Cryptological School Course, from which the image above was taken. (Side note: I repeat what I have said in the past: from a training methodology standpoint, these “training programs” are unbelievably shitty, which is particularly notable given that DOD does pay for a lot of state-of-the-art training programs on other topics.)
The Core Intelligence Oversight Training isn’t really training at all. It’s just a reproduction of the regulations in question. It includes:
- The 2008 update of EO 12333, but with the original 1981 date attached
- DOD 5240 1-R, dated 1982
- NSA/CSS Policy 1-23, issued on March 11, 2004 (interesting date to update such a policy!), and revised twice, most recently May 29, 2009; it includes an Annex that serves as a classified annex to EO 12333 that is dated April 26, 1988
- DTM 08-052, dated Jun 17, 2009; it cites EO 12333 “as amended” but doesn’t provide any amendment date
Several of these documents purport to implement or refer to FISA, but only the NSA/CSS Policy post-dates the detailed implementation of FISA Amendments Act (and it precedes key changes to the current minimization procedures tied to FISA).
And read together, these documents are utterly confusing.
My favorite is this part of DOD 5240, which would seem to contradict James “Too Cute by Half” Clapper’s definition of collection.
Collection. Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties. Thus, information volunteered to a DoD intelligence component by a cooperating source would be “collected” under this procedure when an employee of such component officially accepts, in some manner, such information for use within that component. Data acquired by electronic means is “collected” only when it has been processed into intelligible form.
But both its definition of electronic surveillance and its rules on collecting the content of Americans overseas were superseded by FAA’s requirement of an order to collect on US persons overseas (and no longer considers electronic surveillance overseas electronic surveillance).
Except as provided in paragraph C5.2.5., below, DoD intelligence components may conduct electronic surveillance against a United States person who is outside the United States for foreign intelligence and counterintelligence purposes only if the surveillance is approved by the Attorney General.
The “updated” documents don’t help either. Because NSA/CSS Policy 1-23 relies on the annex dating to 1988, it claims NSA can collect on the content of Americans with Attorney General approval for 90 days.
(4) with specific prior approval by the Attorney General based on a finding by the Attorney General that there is probable cause to believe the United States person is an agent of a foreign power and that the purpose of the interception or selection is to collect significant foreign intelligence. Such approvals shall be limited to a period of time not to exceed ninety days for individuals and one year for entities.
Remember, this is purportedly “training,” and yet I’m not clear how an NSA trainee would learn that collecting content on Americans overseas requires a FISA order.
Trainees could get that information from the 2009 Cryptological School Course, which properly defines electronic surveillance and lays out Section 703-5.
But even that training course is out of date. For example, it says NSA cannot use FAA authorities to target “anything/anyone in the US,” but upstream collection under 702 targets those using certain selectors as content in the US. And even the 2011 minimization procedures limiting upstream collection don’t require destruction of upstream communications in which all communicants are in the US.
This program also includes the oblique comment that searching in databases of raw data constitutes a “collection/targeting” activity.
To protect the privacy rights of U.S. citizens, Department of Justice has determined searches of these databases are a collection/targeting activity.
Which would seem to conflict with the definition of collection a trainee got from DOD 5240.
I realize experienced NSA professionals have a better idea of how these various regulations all fit together. And I realize some of this is controlled through access controls that ensure NSA people only access the most up-to-date rules.
But these documents are billed as training, about the core restrictions regarding their collection. And they are downright contradictory.
I don’t think that’s why Snowden asked the OGC the question he did. Though the response he got regarding precedence of the various agency directives — that “DOD and ODNI regulations are afforded similar precedence though subject matter or date could result in one having precedence over another” — would only exacerbate any confusion a trainee had.
But if the training program Snowden was using is anything like these documents, there’d be good reason to believe that inexperienced trainees were not getting a clear idea of what they were allowed to do with US person data.
Update: One more point about these training programs, especially the classified annex to EO 12333 that dates to 1988. This is a problem that both PCLOB and HPSCI have identified and tried to fix (though HPSCI did not include their bill language to do so in either the USA Freedumber or the unclassified parts of the Intelligence Authorization). This shows why it is important: because NSA people are being trained on materials that tell them they can collect US person data overseas without a FISA order.