NSA Reported a Section 702 Upstream Overcollection Incident in 2012
I’m working on a longer post on the timing of the NSA’s bid to get a cyber Section 702 certificate in 2012. But I wanted to point to a detail about upstream 702 collection that may be relevant to the issue.
According to the 4Q FY2012 Intelligence Oversight Board report — the one covering the quarter ending September 30, 2012 — NSA notified Congress of an overcollection (a polite way of saying “illegal data collection”) under both upstream collection and “other authorities.” The overcollection was fairly significant, both because NSA did notify Congress, which it doesn’t do for individual incidences of overcollection, and because NSA had to implement both a short-term and long-term solution to the collection issue.
This is almost certainly separate from the upstream violations reported in 2011, which resulted in Judge John Bates declaring the collection of entirely US-person data as part of Multi-Communication Transactions collected using upstream 702 collection to be a violation of the Fourth Amendment. Reference to that notice appeared in the 3Q FY2011 report, the one covering the quarter ending June 30, 2011. Not only does the earlier IOB Report show Congress had already been notified of the 2011 violations, but that (unlike some earlier notices) they were notified in timely fashion.
Which suggests the 2012 notification was probably provided to Congress shortly after its official discovery, too.
Moreover, a description of the 2011 problems with upstream collection appeared in a May 4, 2012 letter to Congress, in anticipation of FISA Amendments Act reauthorization that year, by which point NSA had already informed Bates they were going to purge the overcollected MCT data (that happened in April 2012). Thus, no new notice would have been necessary (and would have been sent exclusively to the Intelligence Committees) in 3Q FY2012, which started on July 1.
So this 2012 notice almost certainly represents yet another incidence where NSA (and possibly another agency, given the redaction length and reference to other authorities) illegally collected content it wasn’t entitled to collect inside the US.
This overcollection is significant for two reasons.
First, as will become more clear when I do this timeline, DOJ and NSA would have been dealing with this overcollection at precisely the same time the two agencies were preparing to apply for a Section 702 certification authorizing the collection of cyber signatures. Indeed, it’s possible that is why this overcollection was officially identified, as I’ll lay out, though there are plenty of other possibilities as well.
Just as importantly, USA F-ReDux probably just authorized the government to use the data collected under this second incident of apparently systemic overcollection under upstream 702.
On its face, Section 301 of USA F-ReDux appears to prohibit the use (but not the parallel construction of) data collected unlawfully under Section 702 unless it presents a threat of death or serious bodily harm (which NSA has secretly redefined to include threat to property).
[I]f the Court orders a correction of a deficiency in a certification or procedures under subparagraph (B), no information obtained or evidence derived pursuant to the part of the certification or procedures that has been identified by the Court as deficient concerning any United States person shall be received in evidence or otherwise disclosed in any trial [… or any other Federal proceeding …] except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person.
But in substance, the Section actually authorizes the government to use such data once it has satisfied the FISC.
If the Government corrects any deficiency identified by the order of the Court under subparagraph (B), the Court may permit the use or disclosure of information obtained before the date of the correction under such minimization procedures as the Court may approve for purposes of this clause.
The Section likely addresses something that happened as John Bates tried to deal with both the PRTT Internet dragnet violations in 2010 and the upstream collection violations in 2011. In both cases, he found the government had intentionally collected US person content in the US. And so, Bates determined, under 50 U.S.C. § 1809(a), it would be a crime for the government to disseminate the data.
In 2010, Bates rejected a slew of government arguments (see pages 100 to 113) that he could just retroactively make this illegal collection legal.
Finally, insofar as the government suggests that the Court has an inherent authority to permit the use and disclosure of all unauthorized collection without regard to Section 1809, see Memorandum of Law at 73-74 & n.37, the Court again must disagree.
The Court simply lacks the power, inherent or otherwise, to authorize the government to engage in conduct that Congress has unambiguously prohibited
Bates’ interpretation of 50 U.S.C. § 1809(a) is what led the government to purge the illegally collected upstream data in April 2012 (that may have also been why NSA purged its illegally collected Internet dragnet data in December 2011).
Section 301 of USA F-ReDux was clearly intended to give FISC the authority Bates said he didn’t have in 2010: to permit a FISC judge to permit the government to disseminate data found to be illegally collected, but retroactively sanctioned via the use of minimization procedures.
At first, I didn’t think the Section would affect any known data, because NSA purged both the illegal PRTT data and the illegal upstream data, so that couldn’t be used anymore.
But the IOB report shows there was more illegal upstream data collected, within a year. And the reference to a “long-term solution” to it may suggest that NSA held onto the data and was just finding a way to retroactively authorize it.
From the IOB description, we can’t know what data NSA had illegally collected or why. But there’s a decent chance USA F-ReDux just retroactively made the use of it legal.