I’ve been working through the NSA’s reports to the Intelligence Oversight Board. Given that we know so much about the phone and Internet dragnets, I have been particularly interested in how they got reported to the IOB.
By and large, though, they didn’t. Even though we know there were significant earlier violations (some of the phone dragnet violations appear in this timeline; there was an Internet violation under the first order and at least one more of unknown date), I believe neither gets any mention until the Q1 2009 report. These are on the government’s fiscal year calendar, which goes from October to September, so this report covers the last quarter of 2008. The Q1 2009 reports explains a few (though not the most serious) 2008-related phone dragnet problems and then reveals the discovery of the alert list, which technically happened in Q2 2009.
Now, it may be that the IOB received other notice of the earlier violations. Or it may be that the NSA still treated them under the “reported to the President” loophole created for Stellar Wind. (That loophole was still in the reports in 2013, so they could still be using it today!)
In any case, with the notice of the phone dragnet orders in Q1 2009, NSA also listed the Internet dragnet, but said it had nothing to report.
Before its discussion of the known systemic phone dragnet problems, the Q2 2009 report includes this violation which doesn’t appear in this form (it may well be described in different fashion) in the other phone dragnet discussions.
On 7 January 2009, while searching collection [redacted] NSA analysts found BR FISA data included in the query results. Of the [redacted] selectors used in queries, only [redacted] had been approved under the reasonable articulable suspicion (RAS) standard. Although the numbers were associated with a foreign target, the selectors had not been approved for call chaining in the BR FISA data. The analyst did not know that approval must be sought for BR FISA[redacted–note, not space] call chaining. No data was retained, and no reports were issued.
I find it interesting because that’s precisely where the problem with the phone dragnet stemmed from: BR FISA data had gotten thrown into the EO 12333 data without any technical controls or markings. Indeed, it’s possible this is how the phone dragnet problems were first discovered.
It then has a 3 paragraph description of the phone dragnet problems. The description leaves out certain bits (notably that 3,000 presumed US persons were being watchlisted without First Amendment review, but also the use of automatic searches on BR FISA data that were not permitted).
It also describes a notification to the Majority SSCI Staff Director that NSA neither released under this FOIA nor included the date.
We do know of a Congressional notification in the period — this notice to HPSCI on February 25, 2009. But as noted in a later (April 10) Report to the SSCI, SSCI also got notification on February 25, though it may have been a different document. Or, it may be that this reference is actually a description of the April 10 report (which is four parts, but came out in the following quarter).
In spite of the fact that that notice included an Internet dragnet problem (a manual query that had previously been noticed to FISC), the IOB report nevertheless claims there is “nothing to report” on the Internet dragnet.
Which brings us to the Q3 2009 report. Here’s what it has to say about the ongoing discovery of dragnet violations — including more on the Internet dragnet side:
Rather than detailing the multiple violations NSA had found in the quarter, the report instead includes the phone dragnet End-to-End Report and one notice to Congress. Based on the order in which the IOB report discusses various notices to Congress (the paragraph appears after discussion of the June 17, 2009 notice on the Risen and Lichtblau article described here), it probably included this June 29, 2009 report. That would have been the only notice of the various Internet dragnet problems, including that FBI and CIA had improperly gotten access to query results.
The Q4 2009 report describes two PRTT violations — one person chaining out an extra hop, and another violation that is entirely redacted. It makes no mention of the Internet dragnet End-to-End report which probably got finished in that time period. That would suggest the IOB never learned of the extent of the PRTT violations.
NSA revealed the big problem in the Q1 2010 report (which narrows down the time when NSA’s General Counsel admitted it to DOJ’s National Security Division, almost certainly to October 2009, which is particularly interesting because Vito Potenza retired that month). Here’s how NSA explains to IOB that every single record the NSA had collected going back to 2004 had included categories of information specifically not permitted in the original Colleen Kollar-Kotelly order.
In Court Order PR/TT [redacted] and previous orders, the FISC authorized the installation and use of pen registers and trap and trace devices as described in the government’s application to collect specific information likely to identify the sources or destinations of specified electronic communications [redacted] NSA’s Office of General Counsel learned that [redacted ] not specifically authorized by the Order. [redacted] NSA informed the Department of Justice’s National Security Division that, in consultation with the NSA’s Director, it had instructed NSA analysts to cease querying the PR/TT metadata until the matter was resolved and with the court’s express approval to resume receipt of specified communications and to resume its previous operational practices. The order expired [redacted] Data in NSA’s possession was quarantined and collection ceased.
Rather than “not specifically authorized” the NSA should have said, “specifically prohibited.” The NSA should probably also have revealed that they got caught overcollecting way back in 2004, then promised it would never happen again (when in fact they simply never stopped). The NSA should probably have also revealed that Kollar-Kotelly imposed spot checks to make sure such overcollection didn’t happen; in spite of 25 spot checks, NSA never managed to discover they were still violating Kollar-Kotelly’s order.
In other words, the NSA was breaking the rules, had been for years, and probably willingly hiding it. NSA just decided to hide that part — what was probably willful obstruction — from the board that’s supposed to learn of legal violations.
After that, the PRTT order doesn’t show up in reports — meaning NSA never told IOB it got authorization to turn the dragnet back on in 2010 — until the Q4 2011 report, which includes 2 completely redacted violations.
Interestingly, that report (which covers July through September 2011) was dated December 12, 2011. Which means it was finalized after this happened (as reported in the Q1 2012 report ).
Curiously, after years of not addressing the Internet dragnet at all, the following two reports kept reporting that the Internet dragnet was dead.
It’s almost as if after years of claiming there was “nothing to report” — or, more frequently, not even mentioning the program when there was stuff to report — led IOB to ask for assurances.