The NSA Hides Its Domestic Collection by Refusing to Count It
In his speech at Cato last week Ron Wyden made it clear that when he asked Keith Alexander and James Clapper in advance of the reauthorization of the FISA Amendments Act for the number of Americans’ communications that had been collected under Section 702, he meant to elicit the estimates John Bates made in his October 3, 2011 opinion.
I spent much of 2012 asking the NSA and the DNI [Director of National Intelligence] whether anyone had done an estimate of how many American communications had been collected under section 702. The ODNI and the NSA insisted that such an estimate was impossible, but what they failed to tell the public was that the Fisa court had already done one.
Bates had the NSA conduct a manual review of a statistical subsection of 50,440 transactions collected via upstream collection between January and June 2011. (Note, it appears Bates may have had to raise dire warnings with “top DOJ officials” on July 8, 2011 before he got such a review.) He then annualized the results and estimated that the NSA was collecting up to 56,000 communications of Americans each year, made up of 46,000 communications consisting entirely of an American’s communication (Single Communication Transactions), and 10,000 in which their communication got included in a Multiple Communication Transaction swept up in the search.
Given what we’ve learned about the 2011 confrontation, Wyden’s serial requests for this information take on added importance for two reasons.
Administration never disclosed its domestic collection to the most Members of Congress
First, because the Administration very pointedly did not inform the bulk of Congress that NSA had been — and had been allowed to continue — collecting purely domestic communications from telecom switches. Neither the February 9, 2012 statement to the Senate Intelligence Committee nor the May 4, 2012 notice to Congress provided any indication that this violation involved collecting domestic communications (the December 8, 2011 statement to the House Intelligence Committee did, and both Committees, presumably as well as the Judiciary Committees, received the opinion itself, which makes that clear). It’s also not clear whether any of these notices included any mention of the SCTs, those single communication transactions involving just a US person communication.
Here’s what the general notice to Congress said (which almost certainly was not shared with House members in any case).
On October 3, 2011, the FISC issued an opinion addressing the Government’s submission of replacement certifications under section 702. Although the FISC upheld the bulk of the Government’s submission, it denied in part the Government’s requests to authorize the certifications because of its concerns about the rules governing the retention of certain non-targeted Internet communications — so called multi-communication transactions or MCTs — acquired through NSA’s upstream collection. The FISC recognized, however, that the Government may be able to “tailor the scope of NSA’s upstream collection, or adopt more stringent post-acquisition safeguards” in a manner that would satisfy its concerns, and suggested a number of possibilities as to how this might be done. In response to this opinion, the NSA, Department of Justice, and ODNI worked to correct the deficiencies identified by the Court. On November 30, the FISC granted the Government’s request for approval of the amended procedures, stating that, with regard to information acquired pursuant to the 2011 certifications, “the government has adequately corrected the deficiencies identified in the October 3 Opinion,” and that the amended procedures, when “viewed as a whole, meet the applicable statutory and constitutional requirements.’ These amended procedures continue to allow for the upstream collection of MCTs; however, they also create more rigorous rules governing the retention of MCTs as well as NSA analysts’ exposure to, and use of, non-targeted communications. The Government’s extensive efforts over several months to address this matter, and the FISC’s exhaustive analysis of it, demonstrates how well the existing oversight regime works in ensuring that collection is undertaken in conformity with the statute and Court-approved procedures.
No mention of SCTs, and no mention that both the MCTs and SCTs involved wholly domestic communications. (Nor, for that matter, did the notice tell Congress that NSA and CIA had been granted permission in 2011 — like that the FBI already had — to search incidentally collected data for US person information.)
Wyden tries to get the Administration to disclose it is collecting domestic communications
Thus, to some extent, Wyden’s efforts may be understood as an effort to force the Administration to disclose the most critical details of FAA.
The very day the Congressional notice was received by the Committee Chairs, May 4, 2012, Wyden and Mark Udall asked the Intelligence Community Inspector General Charles McCullough if it was possible to estimate the number of Americans sucked up in this. McCullough had NSA’s IG George Ellard respond. They stalled through the entire mark-up period of the bill. Only after the bill had been voted out of the Intelligence Committee without mandating such a review (based on the pending response from the IGs) did Ellard and McCullough respond that it would take too many resources to provide such a response, and besides, it would “violate the privacy of U.S. persons.”
That’s when Wyden’s efforts to expose this started, with this July 26 letter to James Clapper, signed by 11 other Senators, stating,
We are concerned that Congress and the public do not currently have a full understanding of the impact that this law has had on the privacy of law-abiding Americans. In particular, we are alarmed that the intelligence community has stated that “it is not reasonably possible to identify the number of people located inside the United States whose communications may have been reviewed” under the FISA Amendments Act.
And asking, in part,
- Have any entities made any estimates — even imprecise estimates — about how many US communications have been collected under section 702 authorities?
- Is it possible for the intelligence community to estimate the order of magnitude of this number? (For example, is it closer to 100, or 100,000, or 100 million?)
- To your knowledge, have any wholly domestic communications been collected under Section 702 authorities?
(The letter also attempted to elicit responses about NSA’s authority, granted under that same 2011 opinion, to search incidentally collected communications.)
Clapper responded a month later, demanding the bill be passed with no changes and citing statute but not offering any response on the numbers. In October, Wyden and Udall tried to get a response from Keith Alexander. In November, they tried again with Clapper. Both Alexander’s response and Clapper’s response say they couldn’t provide any more information without compromising NSA’s ability to collect intelligence; it appears that neither ever answered the question about numbers. And so FAA was reauthorized without the Administration ever telling most people who voted to reauthorize it about this domestic communication.
Bates didn’t provide SCTs with any additional protection
Which brings me to the other concern. As I noted, above, the 2011 dispute involved two kinds of domestic communications: MCTs (in which domestic communications were collected along with legally targetable targeted communications) and SCTs (in which domestic communications came up by themselves on a search).
Bates imposed new restrictions on MCTs. But he added no new restrictions on the SCTs. Some of his discussion rationalizing that decision relies on an opinion that doesn’t account for upstream collection (the 2008 one) or that predates both Protect America Act and FAA (the 2007 one).
To the extent NSA is acquiring Internet transactions that contain a single discrete communication that is to, from, or about a tasked selector, the Court’s previous analysis remains valid. As explained in greater detail in the Court’s September 4, 2008 Memorandum Opinion, in this setting the person being targeted is the user of the tasked selector, and NSA’s pre-targeting and post-targeting procedures ensure that NSA will only acquire such transactions so long as there is a reasonable belief that the target is located outside the United States.
[snip]
A transaction that is identified as an SCT rather than an MCT must be handled in accordance with the standard minimization procedures that are discussed above.
[snip]
NSA’s upstream collection also likely results in the acquisition of tens of thousands of wholly SCTs that contain references to targeted selectors. See supra, pages 33-34 & note 33 (discussing the limits [redacted] Although the collection of wholly domestic “about” SCTs is troubling, they do not raise the same minimization-related concerns as discrete, wholly domestic communications that are neither to, from, nor about targeted selectors, or as discrete communications that are neither to, from, nor about targeted selectors, to any target, either of which may be contained within MCTs. The Court has effectively concluded that certain communications containing a reference to a targeted selector are reasonably likely to contain foreign intelligence information, including communications between non-target accounts that contain the name of the targeted facility in the body of the message. See Docket No. 07-449, May 31, 2007 Primary Order at 12 (finding probable cause to believe that certain “about” communications were “themselves being sent and/or received by one of the targeted foreign powers”). Insofar as the discrete, wholly domestic “about” communications at issue here are communications between non-target accounts that contain the name of the targeted facility, the same conclusion applies to them. Accordingly, in the language of FISA’s definition of minimization procedures, the acquisition of wholly domestic communications about targeted selectors will generally be “consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” See 50 U.S.C. 1801(h)(1). Nevertheless, the Court understands that in the event NSA identifies a discrete, wholly domestic “about” communication in its databases, the communication will be destroyed upon recognition.
That 2007 opinion, written before the laws limiting the ability to collect domestic communications, appears to equate use of a “selector” (which may be a phone number or an email, but in its current incarnation may well use pieces of code in search of cyber threats) with being an agent of a foreign power. Given the description, it likely was a primary order for the purportedly defunct Internet dragnet program; if so, it would represent the application of an opinion about metadata to collection including content. [Update: No. This was the upstream content one.]
And while Bates seems to have convinced himself these entirely domestic communications will be destroyed, under the terms of the minimization procedures, it actually only gets destroyed if 1) it is identified as US person communication and 2) it doesn’t meet one of four criteria for retention.
Internet transactions acquired through NSA’s upstream collection techniques that do not contain any information that meets the retention standards set forth in these procedures and that are known to contain communications of or concerning United States persons will be destroyed upon recognition. All Internet transactions may be retained no longer than two years from the expiration date of the certification authorizing the collection in any event. The Internet transactions that may be retained include those that were acquired because of limitations on NSA’s ability to filter communications. Any Internet communications acquired through NSA’s upstream collection techniques that are retained in accordance with this subsection may be reviewed and processed only in accordance with the standards set forth in subsection 3 (b)( S) of these procedures.
Those four exceptions are if the communication,
- Is reasonably believed to contain significant foreign intelligence information
- Does not contain foreign intelligence information but is reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed
- Is reasonably believed to contain technical data base information
- Contains information pertaining to a threat of serious harm to life or property
(These all require DIRNSA certification; I’m really curious whether this, like so much of what NSA does, takes place in bulk on a programmatic level.)
In other words, Bates’ ruling would allow the collection and retention of a broad range of domestic communications, particularly that relating to cybersecurity (the technical data base) or IP (the threat to property, which is not derived from statute), based not on whom that American communicated with, but on what she communicated about.
Remember: these SCTs — not the MCTs which Bates was more concerned about — constitute the bulk of the domestic collection under the upstream program.
At least as far as we know.
Administration refused to count domestic SCTs for Bates
Because NSA refused to provide that number, even to Bates.
Here’s how Bates came up with his 46,000 number for SCTs.
NSA’s manual review focused on examining the MCTs acquired through NSA’s upstream collection in order to assess whether any contained wholly domestic communications. Sept. 7, 2011 Hearing Tr. at 13-14. As a result, once NSA determined that a transaction contained a single discrete communication, no further analysis of that transaction was done. See Aug. 16 Submission at 3. After the Court expressed concern that this category of transactions might also contain wholly domestic communications, NSA conducted a further review. See Sept. 9 Submission at 4. NSA ultimately did not provide the Court with an estimate of the number of wholly domestic “about” SCTs that may be acquired through its upstream collection. Instead, NSA has concluded that “the probability of encountering wholly domestic communications in transactions that feature only a single, discrete communication should be smaller — and certainly no greater — than potentially encountering wholly domestic communications within MCTs.” Sept. 13 Submission at 2.
The Court understands this to mean that the percentage of wholly domestic communications within the universe of SCTs acquired through NSA’s upstream collection should not exceed the percentage of MCTs within its statistical sample. Since NSA found 10 MCTs with wholly domestic communications within the 5,081 MCTs reviewed, the relevant percentage is .197% (10/5,081). Aug. 16 Submission at 5.
NSA’s manual review found that approximately 90% of the 50,440 transactions in the same were SCTs. Id. at 3. Ninety percent of the approximately 13, 25 million total Internet transactions acquired by NSA through its upstream collection during the six-month period, works out to be approximately 11,925,000 transactions. Those 11,925,000 transactions would constitute the universe of SCTs acquired during the six-month period, and .197% of that universe would be approximately 23,000 wholly domestic SCTs. Thus, NSA may be acquiring as many as 46,000 wholly domestic “about” SCTs each year, in addition to the 2,000-10,000 MCTs referenced above.
Bates said, “go and find out how much of these SCTs are domestic,” and NSA came back and said, “No. But trust us, we don’t think it’s all that much.”
This, in spite of details like these from WSJ’s report on this collection.
Verizon Communications Inc., for example, has placed intercepts in the largest U.S. metropolitan areas, according to one person familiar with the technology. It isn’t clear how much information these intercepts send to the NSA. A Verizon spokesman declined to comment.
[snip]
Lawyers for at least one major provider have taken the view that they will provide access only to “clearly foreign” streams of data—for example, ones involving connections to ISPs in, say, Mexico, according to the person familiar with the legal process. The complexities of Internet routing mean it isn’t always easy to isolate foreign traffic, but the goal is “to prevent traffic from Kansas City to San Francisco from ending up” with the NSA, the person says.
At times, the NSA has asked for access to data streams that are more likely to include domestic communications, this person says, and “it has caused friction.” This person added that government officials have said some providers do indeed comply with requests like this.
The NSA knows that some of this is entirely domestic, because they’ve designed it to be. So much so, in fact, that at least one non-Verizon provider has balked at providing it.
But they won’t count it, not for Congress, not for the Court. And what they don’t count, we can’t object to as an obviously unreasonable effort to collect domestic intelligence using a “foreign” intelligence program (as if cyberattacks can be separated as such in any case!).
Administration excuses reveal how problematic this is
Which brings us, finally, to the three excuses they’ve publicly offered for not doing so:
- Inspector General resource issues
- The “privacy” of US persons
- It would compromise sources and methods
The resource issue is, of course, a feint. The NSA has already had to spend time counting individual communications. They could do so again — and could have counted the SCTs back in September 2011. They just want to pretend only the IG can do this (they do happen to be the only entity Congress can task to do so).
The other two, taken in tandem, are more telling though.
The only way it’d be a privacy violation to count US person SCTs is if there are many of them (though one reason they’re saying that is the IP address as collected wouldn’t make it immediately clear — see page 34 of the Bates opinion).
Then there’s the indication that Clapper and Alexander refused to give a response to even Senators who’d been briefed (though some of the 11 were not on Judiciary or Intelligence). The only thing — aside from how the algorithms work — that hasn’t been disclosed since is that this includes a lot of US person collection.
Because, of course, if it became clear how much of this they were doing — how far outside the terms of the statute they’ve been operating — then they’d no longer be able to collect this (this is especially true since Bates told NSA that since they had admitted some of the MCTs were domestic, they could no longer pretend they didn’t know about it).
But if you refuse to quantify how much domestic communications you’re collecting in the guise of foreign intelligence, then no one can tell you to stop.
The “privacy” of US persons seems unrelated to revealing anonymized data on how many of them or their communications the government accidentally and unintentionally surveils. But we’ve long been down Alice’s rabbit hole regarding government defenses for such programs.
The privacy of US persons, one would think, would be unaffected by releasing data on the number of US persons or the number of their communications surveilled accidentally by the government. More damning would be the high percentage of such “accidents” relative to legitimate data searches, suggesting that they are not accidental at all.
@earlofhuntingdon:
I wouldn’t think numbers such as those being requested would do any harm to privacy, unlike the information actually being collected. (They might very well harm the cases the ‘intelligence’ agencies are trying to make, but that’s fine with me.)
I hope this hasn’t been posted all over here before now, and I’m wondering if this may be a big deal. Seems like it could be, but in actual internet operations, is it?
http://www.internetgovernance.org/2013/10/11/the-core-internet-institutions-abandon-the-us-government/
@Tom in AZ: I’m particularly interested in the emphasis on Commerce losing its influence.
@Tom in AZ: I assume, of course, that if they didn’t say “please” to Alexander, it won’t happen. Well, I might not assume that, but I will bet Alexander does.
@emptywheel: I think that is a good thing. The agendas of the political appointees and the ‘burrowed in’ ideologues aren’t good for us or them. Well, maybe a tiny percentage of ‘us’.
Edited for clarity.
Emptywheel had a blog post and Der Spiegel had an article on September 15, 2013 that each may have related to this Emptywheel post.
The Der Spiegel article, based on NSA documents leaked by Snowden about NSA’s Follow the Money surveillance of electronic fund transfers in the bank and credit card sectors, reported that the British counterpart agency to NSA, GCHQ, which is most observers would not expect to be overly concerned about civil liberties, is worried that NSA’s Follow the Money real-time electronic surveillance of bank and credit card transactions is deeply intrusive into the civil liberties of citizens:
“But even intelligence agency employees are somewhat concerned about spying on the world finance system, according to one document from the UK’s intelligence agency GCHQ concerning the legal perspectives on “financial data” and the agency’s own cooperations with the NSA in this area. The collection, storage and sharing of politically sensitive data is a deep invasion of privacy, and involved “bulk data” full of “rich personal information,” much of which “is not about our targets,” the document says.”
Emptywheel’s post the same day notes that the volume of intercepted communications stored in NSA’s special database for the Follow the Money Program, i.e., Tracfin, is disproportionately small in comparison to the volume of bank transactions available for NSA intercepts in just one of its wire transfer clearing house targets.
NSA began its Follow the Money bank surveillance program in 1981 when it installed stolen copies of INSLAW, Inc.’s PROMIS tracking software on the computers of three major clearing houses in the United States and Europe, including CHIPS (Clearing House Inter-Payment System) in New York City for dollar-denominated transfers, which presumably would disproportionately involve American citizens and others residing in the United States.
NSA is unlikely to have refused to store these intercepts and the volume of intercepts stored in its Follow the Money Tracfin database, as already noted, is too small in comparison with the size of the intercept opportunity. Moreover, storing the deeply intrusive bank intercepts of Americans without minimizing them by deleting the names of the Americans might get the NSA in trouble if the practice were ever discovered.
One way to solve the problem would be for NSA to store the American banking intercepts somewhere else where NSA and the attorneys from the Depertment of Justice’s Office of Legal Counsel (OLC) could invent a rationale. One possibility is the Main Core domestic spying database system administered by the Federal Emergency Management Agency (FEMA) under the highly classified and highly compartmentalized Continuity of Government (COG) Program, ostensibly for hand-off to the Defense Intelligence Agency (DIA) and the U.S. Army in the event of a national catastrophe and the imposition of martial law.
Once such a database was created, the data could be made available to select government units for nefarious purposes through encrypted online connections.
The subject is cropping up everywhere:
The bright side is that NSA, or Trendnet, or an interceptor in the Peaceful Chongqing network can probably help this woman out:
Soon there’ll be a special ap that runs an image search engine …