Upstream Internet Collection and Minimization Procedures

new-prism-slide-001-460x345As I noted in this post, the Guardian’s report on the aftermath of the October 3, 2011 FISA Court decision seemed to suggest that Google and Yahoo content was collected as upstream collection, not from their servers.

Changes made in the minimization procedures seem to support that.

In section 3(c), which covers Destruction of Raw Data, the old procedures treat all communications the same:

Communications and other information … will be reviewed for retention in accordance with the standards set forth in these procedures.

But the new minimization procedures have to break out that section into two categories to comply with the new restrictions imposed by the FISA Court. There’s the category of data that will be treated under the old rules:

Telephony communications, Internet communications acquired by or with the assistance of the Federal Bureau of Investigation from Internet Service Providers, and other discrete forms of information…

And then there’s the category that will be subjected to the new rules:

Internet transactions acquired through NSA’s upstream collection techniques …

Now, this doesn’t confirm that Google and Yahoo are providing “upstream” data, but if they’re not, it means the only data they’re providing to the NSA is done through FBI requests (perhaps parallel to FBI’s Section 215 request for telephone metadata that gets promptly delivered to the NSA; this could refer to the old Pen Register/Trap and Trace Internet collection, but October 31, 2011 is awfully late in 2011 for eliminating that collection and if it is, why is it still in the minimization procedures?). Except all the discussions surrounding PRISM suggests that data is turned over directly to the NSA, which would mean it is considered upstream collection.

One more note: the old procedures have a phrase in this section and section 3(b)(1) that suggests NSA knew they were collecting US person data back in 2009 when the procedures were written.

The communications that may be retained include electronic communications acquired because of limitations on NSA’s ability to filter communications.

That sentence is removed from the new procedures, suggesting this “limitations on NSA’s ability to filter communications” collection is precisely the Internet transaction collection at issue. And the only reason they’d have to specifically allow themselves to retain it before (since all foreign person data can be retained) is if they knew it included US person data.

Update: Correction: The sentence above gets translated to, “The Internet transactions that may be retained include those that were acquired because of limitations on NSA’s ability to filter communications.” So it is in there.

But the November 30, 2011 FISC opinion (see footnote 6) makes it clear that this is–and was–US person data.

The Court understands this sentence to refer only to Internet transactions that contain wholly domestic communications but that are not recognized as such by NSA.

So if that language was in minimization procedures going back to at least 2009, doesn’t that mean the government knew it was collecting that US person data?

Update: Note that footnote 24 of the October 3, 2011 opinion seems to make it clear that the Internet collection is not upstream at all, and doesn’t include MCTs.

In addition to its upstream collection, NSA acquires discrete Internet communications from Internet service providers such as [redacted] Aug. 16 Submission at 2; Aug. 30 Submission at 11; see also Sept. 7 2011 Hearing Tr. at 75-77. NSA refers to this non-upstream collection as its “PRISM collection.” Aug. 30 Submission at 11. The Court understands that NSA does not acquire Internet transactions” through its PRISM collection. See Aug Submission at 1.

4 replies
  1. Saul Tannenbaum says:

    Google, because of its size, scale, and its worldwide scope, runs its own internet backbone and should be thought of as both a company that runs servers and a company that provides internet connectivity. If doing a Google search and you’re (in the internet sense) a Google point of presence, that traffic is going to be routed to Google’s network as near to you as possible. Doing “upstream” collection from Google seems like a thing the NSA would do for completeness sake.

Comments are closed.