Congress Currently Has Access to the Phone Dragnet Query Results

When Bernie Sanders asked the NSA whether it spied on Members of Congress, Keith Alexander responded, in part,

Among those protections is the condition that NSA can query the metadata only based on phone numbers reasonably suspected to be associated with specific foreign terrorist groups. For that reason, NSA cannot lawfully search to determine if any records NSA has received under the program have included metadata of the phone calls of any member of Congress, other American elected officials, or any other American without that predicate.

Alexander’s response was dated January 10, 2014, one week after the current dragnet order was signed.

It’s an interesting response, because one of the changes made to the dragnet access rules with the January 3 order was to provide Congress access to the data for oversight reasons. Paragraph 3D reads, in part,

Notwithstanding the above requirements, NSA may share the results from intelligence analysis queries of the BR metadata, including United States person information, with Legislative Branch personnel to facilitate lawful oversight functions.

This doesn’t actually mean Sanders (and Darrell Issa, Jerrold Nadler, and Jim Sensenbrenner, who sent a letter on just this issue yesterday) can just query up the database to find out if their records are in there. The legislature can only get query results — it can’t perform queries. And as of last week, all query identifiers have to be approved by the FISC.

Still, they might legitimately ask to see what is in the corporate store, the database including some or all past query results, which may include hundreds of millions of Americans’ call records. And Nadler and Sensenbrenner — as members of the Judiciary Committee — can legitimately claim to play an oversight role over the dragnet.

So why don’t they just ask to shop the corporate store, complete with all the US person data, as permitted by this dragnet order? While they’re at it, why not check to see if the 6 McClatchy journalists whose FOIA NSA just rejected have been dumped into the corporate store? (No, I don’t think giving Congress this access is wise, but since they have it, why not use it?)

Incidentally, this access for legislative personnel is not unprecedented. Starting on February 25, 2010 and lasting through 3 orders (so until October 29, 2010, though someone should check my work on this point) the dragnet orders included even broader language.

Notwithstanding the above requirements, NSA may share certain information, as appropriate, derived from the BR metadata, including U.S. person identifying information, with Executive Branch and Legislative Branch personnel in order to enable them to fulfill their lawful oversight functions…

Of course at that point, most of Congress had no real understanding of what the dragnet is.

Now that they do, Nadler and Sensenbrenner should use the clear provision of the dragnet order as an opportunity to develop a better understanding of what happens to query results and how broadly they implicate average Americans’ privacy.

Update: Added short explanation of corporate store.

6 replies
  1. Rory says:

    Dumb question of the month:

    “all query identifiers have to be approved by the FISC.”

    Are these identifiers for when performing a query by searching on a phone number, date, etc. or identifiers that categorize different sets of query results that have been run already?

  2. emptywheel says:

    @Rory: The former. The latter doesn’t even require a new RAS determination. That’s why I keep harping about the corporate store. It seems that one function of the dragnet, at least in the past, was to populate a database of all the call records of all the Americans who might be 3 degrees of separation from someone who might be a terrorist. They’re accessible with no auditing, and NSA can do all the data mining on them that they’re not permitted to do with the actual dragnet database.

  3. Oregon Privacy says:

    Perhaps congress is starting to ask smarter questions. Sensenbrenner, Issa, and Nadler are questioning officially how the “corporate store” works. See this story in yesterday’s Guardian:

    Sensenbrenner, Issa and Nadler wrote to Cole on Wednesday for a public clarification of the statement, which they described as “not entirely accurate” – and in doing so drew attention to a little-noticed procedure used by the NSA.

    NSA collection and potential analysis of congressional phone records “raises grave separation of powers concerns for the executive branch to interfere with the private communications of the legislative branch without congressional knowledge,” the legislators wrote.

    The NSA’s analysis of a number for which it possesses “reasonable articulable suspicion” is not limited to that number. The agency has been permitted for years to conduct what is known as a three-hop analysis, in which it traces not only the calls sent and received by the phone number, but all the calls sent and received by those numbers and then all the calls sent and received by those.

    “The NSA looks at individual numbers when it has low-level, particularized suspicion, but it looks at millions more with no suspicion of wrongdoing whatsoever, some of whom may well be members of Congress,” the legislators wrote to Cole.

    NSA analysts move the associated numbers into a database known as the “corporate store”, where further analysis of the phone records does not require any “reasonable articulable suspicion” of connection to terrorism, and no court order is needed for further study.

    “After collecting and analyzing these call records, the NSA would transfer the results to the so-called ‘corporate store’, a separate database that analysts were permitted to search without any showing of particularized suspicion,” the three legislators wrote.

    I think this is first “official” questions asking for “public clarification” about the “corporate store” asked by congress.

  4. Oregon Privacy says:

    Oh, I just noticed you linked to the story in an earlier post.

    BTW, Nadler is the Congressman who sparred with the FBI last June about if phone calls could be wiretapped and listened to without a warrant. Probably, more of the same BS – a warrant is needed to “listen” unless (not mentioned) the info is in the “corporate store” in which case an analyst just decide to listen.

    Nadler: Secondly, under section 215, if you’ve gotten information from meta-data and you as a result of that think that this phone number, 873-whatever, looks suspicious and we ought to actually get the contents of that phone… do you need a new, specific warrant?

    Mueller: You need at least a national security letter. All you have is telephone number, so you do not have subscriber information. So you need subscriber information; you would have to get a national security letter to get that subscriber information.

    Nadler: And to…

    Mueller: And if you wanted to do more…

    Nadler: If you want to listen to the phone…

    Mueller: Then you have to get a special, a particularized order from the FISA court directed at that particular phone and that particular individual.

    Nadler: Now, is the answer you just gave me classified?

    Mueller: Is what?

    Nadler: The answer you just gave me classified in any way?

    Mueller: I don’t think so.

    Nadler: Then I can say the following. We heard precisely the opposite at the briefing the other day. We heard precisely that you could get specific information from that telephone simply based on an analyst deciding that and you didn’t need a new warrant. In other words, what you just said is incorrect. So there’s a conflict.

    Mueller: I’m not certain it’s the same… I answered the same question, but I’m sorry I didn’t mean to interrupt.

    Nadler: Well I asked the question both times and I think it’s the same question. Um, so, maybe you’d better go back and check because someone was incorrect.

    Mueller: I will do that. That is my understanding of the process.

    Nadler: OK, I don’t question it was your understanding. It was always my understanding. I was quite startled the other day and I wanted to take this opportunity…

    Mueller: I’d be happy to clarify.

    Here’s the video:

    The rebuttal:

    UPDATE: Later on Sunday, the ODNI released a statement addressing the specific charges of the CNET story:

    “The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress. Members have been briefed on the implementation of Section 702, that it targets foreigners located overseas for a valid foreign intelligence purpose, and that it cannot be used to target Americans anywhere in the world.”

  5. LeMoyne says:

    NSA, FBI and the Executive Branch shall share requested information with Legislative and Judicial Branch personnel to allow them to perform their lawful oversight roles. Requested information shall be provided in a timely manner, whether it is the BR data, it is derived from the BR data, or it is the policies and procedures [PP] governing the collection, analysis, minimization or storage of information gathered under the BR program. The Legislative and Judicial Branches shall have access to all kinds of information concerning the BR programs such as the summary and specific volumes and flows of BR data, the size, disposition and tasks of the workforce, the audits of actions taken versus the PP, the reviews of past and current PP and the planning of future PP.

    Dreaming, I know – but it’s more than just a bit of fun to imagine what oversight capability would look like if it actually existed. The FISC orders would have better boilerplate that is mandated by the enabling act for example. But then PATRIOT…FAA wouldn’t be so enabling, now would they?

Comments are closed.