NSA Reported a Section 702 Upstream Overcollection Incident in 2012

I’m working on a longer post on the timing of the NSA’s bid to get a cyber Section 702 certificate in 2012. But I wanted to point to a detail about upstream 702 collection that may be relevant to the issue.

According to the 4Q FY2012 Intelligence Oversight Board report — the one covering the quarter ending September 30, 2012 — NSA notified Congress of an overcollection (a polite way of saying “illegal data collection”) under both upstream collection and “other authorities.” The overcollection was fairly significant, both because NSA did notify Congress, which it doesn’t do for individual incidences of overcollection, and because NSA had to implement both a short-term and long-term solution to the collection issue.

2012 Upstream Notice

This is almost certainly separate from the upstream violations reported in 2011, which resulted in Judge John Bates declaring the collection of entirely US-person data as part of Multi-Communication Transactions collected using upstream 702 collection to be a violation of the Fourth Amendment. Reference to that notice appeared in the 3Q FY2011 report, the one covering the quarter ending June 30, 2011. Not only does the earlier IOB Report show Congress had already been notified of the 2011 violations, but that (unlike some earlier notices) they were notified in timely fashion.

Which suggests the 2012 notification was probably provided to Congress shortly after its official discovery, too.

Moreover, a description of the 2011 problems with upstream collection appeared in a May 4, 2012 letter to Congress, in anticipation of FISA Amendments Act reauthorization that year, by which point NSA had already informed Bates they were going to purge the overcollected MCT data (that happened in April 2012). Thus, no new notice would have been necessary (and would have been sent exclusively to the Intelligence Committees) in 3Q FY2012, which started on July 1.

So this 2012 notice almost certainly represents yet another incidence where NSA (and possibly another agency, given the redaction length and reference to other authorities) illegally collected content it wasn’t entitled to collect inside the US.

This overcollection is significant for two reasons.

First, as will become more clear when I do this timeline, DOJ and NSA would have been dealing with this overcollection at precisely the same time the two agencies were preparing to apply for a Section 702 certification authorizing the collection of cyber signatures. Indeed, it’s possible that is why this overcollection was officially identified, as I’ll lay out, though there are plenty of other possibilities as well.

Just as importantly, USA F-ReDux probably just authorized the government to use the data collected under this second incident of apparently systemic overcollection under upstream 702.

On its face, Section 301 of USA F-ReDux appears to prohibit the use (but not the parallel construction of) data collected unlawfully under Section 702 unless it presents a threat of death or serious bodily harm (which NSA has secretly redefined to include threat to property).

[I]f the Court orders a correction of a deficiency in a certification or procedures under subparagraph (B), no information obtained or evidence derived pursuant to the part of the certification or procedures that has been identified by the Court as deficient concerning any United States person shall be received in evidence or otherwise disclosed in any trial [… or any other Federal proceeding …] except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person.

But in substance, the Section actually authorizes the government to use such data once it has satisfied the FISC.

If the Government corrects any deficiency identified by the order of the Court under subparagraph (B), the Court may permit the use or disclosure of information obtained before the date of the correction under such minimization procedures as the Court may approve for purposes of this clause.

The Section likely addresses something that happened as John Bates tried to deal with both the PRTT Internet dragnet violations in 2010 and the upstream collection violations in 2011. In both cases, he found the government had intentionally collected US person content in the US. And so, Bates determined, under 50 U.S.C. § 1809(a), it would be a crime for the government to disseminate the data.

In 2010, Bates rejected a slew of government arguments (see pages 100 to 113) that he could just retroactively make this illegal collection legal.

Finally, insofar as the government suggests that the Court has an inherent authority to permit the use and disclosure of all unauthorized collection without regard to Section 1809, see Memorandum of Law at 73-74 & n.37, the Court again must disagree.


The Court simply lacks the power, inherent or otherwise, to authorize the government to engage in conduct that Congress has unambiguously prohibited

Bates’ interpretation of 50 U.S.C. § 1809(a) is what led the government to purge the illegally collected upstream data in April 2012 (that may have also been why NSA purged its illegally collected Internet dragnet data in December 2011).

Section 301 of USA F-ReDux was clearly intended to give FISC the authority Bates said he didn’t have in 2010: to permit a FISC judge to permit the government to disseminate data found to be illegally collected, but retroactively sanctioned via the use of minimization procedures.

At first, I didn’t think the Section would affect any known data, because NSA purged both the illegal PRTT data and the illegal upstream data, so that couldn’t be used anymore.

But the IOB report shows there was more illegal upstream data collected, within a year. And the reference to a “long-term solution” to it may suggest that NSA held onto the data and was just finding a way to retroactively authorize it.

From the IOB description, we can’t know what data NSA had illegally collected or why. But there’s a decent chance USA F-ReDux just retroactively made the use of it legal.

6 replies
  1. wallace says:

    quote”From the IOB description, we can’t know what data NSA had illegally collected or why. But there’s a decent chance USA F-ReDux just retroactively made the use of it legal.”unquote

    Congress makes NSA criminality legal. Whudda thunk. Meanwhile, someone suggests the Congress should be subject to FOIA. Outrageous cries Congress.

    If incredulous was weather, these assholes would be a fucking 5.9 hurricane.

  2. JohnT says:

    I wish I could remember which website it was, but when I first started researching this during W’s first term, there were a lot of pdf’s of congressional reports that confirmed they were over-collecting

    (Racking my brain trying to remember)

  3. BiasedReporter says:

    it may be time to start working on a 702 rap sheet, especially after OPM breach and current media discussions.

    This was Rep Schiff on Fox News Sunday http://www.foxnews.com/transcript/2015/06/07/reps-king-schiff-on-preventing-cyberattacks-can-rick-santorum-win-gop/

    WALLACE: We learned this week through another one of Edward Snowden’s leaks that President Obama approved the NSA using warrantless surveillance to pick up international internet traffic of Americans that may be involved in some way in hacking.

    Congressman Schiff, you were one of the leaders in the effort to restrict the government’s collection of our phone records. Are you OK with this new avenue of collection of information that may involve Americans?

    SCHIFF: Well, I oppose the gathering of bulk data by the government because it was unnecessary for us to hold that data. But in terms of this effort to identify foreign hackers, hackers working for foreign states that are going to come in and steal our secrets, that are going to damage our infrastructure or damage our companies — absolutely, we need to gather that intelligence. It’s done under Section 702. It’s done with court supervision.

    And I think this is fundamentally what the American people expect of their government. And that is that we ought to be aggressively going after identifying and protecting the country from cyber hackers.

    We do need to make sure, though, Chris, in that process if there’s any incidental collection, unintended collected of information about Americans, somebody, for example, a foreign hacker hacks into an American company and steals the information, that we follow all the minimization requirements, and I’m confident that’s exactly what we will do and what we have to do.

    • emptywheel says:

      Thanks for the quote. From that it looks like 1) NSA didn’t get the cyber specific certificate 2) FISC has imposed minimization procedures on this now, which leads me to believe the overcollection was the cyber collection.

      That’s the theory I’m working on, anyway.

      • BiasedReporter says:

        Thanks. I heard someone say on the Sunday shows that there was no abuse of 702, which is why I wanted to point it out to you.

        your theories usually turn out to be correct……

  4. orionATL says:

    with respect to clauses/paragraphs inserted in the recently usa un-freedom act, the nsa and broader intelligence community always know what they need and what those clauses and paragraphs actually imply in terms of authorizing/legitimizing nsa/fbi collection and storage behavior. the chumps voting in congress do not know, or do not understand, and blythly vote away.

    this can not reasonably be interpreted as congress knowing what it was “authorizing”.

Comments are closed.