The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

The question of whether NSA can keep its Section 215 dragnet data past November 28 has been fully briefed for at least 10 days, but Judge Michael Mosman has not yet decided whether the NSA can keep it — at least not publicly. But given what the NSA IG Report on NSA’s destruction of the Internet dragnet says (liberated by Charlie Savage and available starting on PDF 60), we should assume the NSA may be hanging onto that data anyway.

This IG Report documents NSA’s very hasty decision to shut down the Internet dragnet and destroy all the data associated with it at the end of 2011, in the wake of John Bates’ October 3, 2011 opinion finding, for the second time, that if NSA knew it had collected US person content, it would be guilty of illegal wiretapping. And even with the redactions, it’s clear the IG isn’t entirely certain NSA really destroyed all those records.

The report adds yet more evidence to support the theory that the NSA shut down the PRTT program because it recognized it amounted to illegal wiretapping. The evidence to support that claim is laid out in the timeline and working notes below.

The report tells how, in early 2011, NSA started assessing whether the Internet dragnet was worth keeping under the form John Bates had approved in July 2010, which was more comprehensive and permissive than what got shut down around October 30, 2009. NSA would have had SPCMA running in big analytical departments by then, plus FAA, so they would have been obtaining these benefits over the PRTT dragnet already. Then, on a date that remains redacted, the Signals Intelligence Division asked to end the dragnet and destroy all the data. That date has to post-date September 10, 2011 (that’s roughly when the last dragnet order was approved), because SID was advising to not renew the order, meaning it happened entirely during the last authorization period. Given the redaction length it’s likely to be October (it appears too short to be September), but could be anytime before November 10. [Update: As late as October 17, SID was still working on a training program that covered PRTT, in addition to BRFISA, so it presumably post-dates that date.] That means that decision happened at virtually the same time or after, but not long after, John Bates raised the problem of wiretapping violations under FISA Section 1809(a)(2) again on October 3, 2011, just 15 months after having warned NSA about Section 1809(a)(2) violations with the PRTT dragnet.

The report explains why SID wanted to end the dragnet, though three of four explanations are redacted. If we assume bullets would be prioritized, the reason we’ve been given — that NSA could do what it needed to do with SPCMA and FAA — is only the third most important reason. The IG puts what seems like a non sequitur in the middle of that paragraph. “In addition, notwithstanding restrictions stemming from the FISC’s recent concerns regarding upstream collection, FAA §702 has emerged as another critical source for collection of Internet communications of foreign terrorists” (which seems to further support that the decision post-dated that ruling). Indeed, this is not only a non sequitur, it’s crazy. Everyone already knew FAA was useful. Which suggests it may not be a non sequitur at all, but instead something that follows off of the redacted discussions.

Given the length of the redacted date (it is one character longer than “9 December 2011”), we can say with some confidence that Keith Alexander approved the end and destruction of the dragnet between November 10 and 30 — during the same period the government was considering appealing Bates’ ruling, close to the day — November 22 — NSA submitted a motion arguing that Section 1809(a)(2)’s wiretapping rules don’t apply to it, and the day, a week later, it told John Bates it could not segregate the pre-October 31 dragnet data from post October 31 dragnet data.

Think how busy a time this already was for the legal and tech people, given the scramble to keep upstream 702 approved! And yet, at precisely the same time, they decided they should nuke the dragnet, and nuke it immediately, before the existing dragnet order expired, creating another headache for the legal and tech people. My apologies to the people who missed Thanksgiving dinner in 2011 dealing with both these headaches at once.

Not only did NSA nuke the dragnet, but they did it quickly. As I said, it appears Alexander approved nuking it November 10 or later. By December 9, it was gone.

At least, it was gone as far as the IG can tell. As far as the 5 parts of the dragnet (which appear to be the analyst facing side) that the technical repository people handled, that process started on December 2, with the IG reviewing the “before” state, and ended mostly on December 7, with final confirmation happening on December 9, the day NSA would otherwise have had to have new approval of the dragnet. As to the the intake side, those folks started destroying the dragnet before the IG could come by and check their before status:

However, S3 had completed its purge before we had the opportunity to observe. As a result we were able to review the [data acquisition database] purge procedures only for reasonableness; we were not able to do the before and after comparisons that we did for the TD systems and databases disclosed to us.

Poof! All gone, before the IG can even come over and take a look at what they actually had.

Importantly, the IG stresses that his team doesn’t have a way of proving the dragnet isn’t hidden somewhere in NSA’s servers.

It is important to note that we lack the necessary system accesses and technical resources to search NSA’s networks to independently verify that only the disclosed repositories stored PR/TT metadata.

That’s probably why the IG repeatedly says he is confirming purging of the data from all the “disclosed” databases (@nailbomb3 observed this point last night). Perhaps he’s just being lawyerly by including that caveat. Perhaps he remembers how he discovered in 2009 that every single record the NSA had received over the five year life of the dragnet had violated Colleen Kollar-Kotelly’s orders, even in spite of 25 spot checks. Perhaps the redacted explanations for eliminating the dragnet explain the urgency, and therefore raise some concerns. Perhaps he just rightly believes that when people don’t let you check their work — as NSA did not by refusing him access to NSA’s systems generally — there’s more likelihood of hanky panky.

But when NSA tells — say — the EFF, which was already several years into a lawsuit against the NSA for illegal collection of US person content from telecom switches, and which already had a 4- year old protection order covering the data relevant to that suit, that this data got purged in 2011?

Even NSA’s IG says he thinks it did but he can’t be sure.

But what we can be sure of is, after John Bates gave NSA a second warning that he would hold them responsible for wiretapping if they kept illegally collecting US person content, the entire Internet dragnet got nuked within 70 days — gone!!! — all before anyone would have to check in with John Bates again in connection with the December 9 reauthorization and tell him what was going on with the Internet dragnet.

Update: Added clarification language.

Update: The Q2 2011 IOB report (reporting on the period through June 30, 2011) shows a 2-paragraph long, entirely redacted violation (PDF 10), which represents a probably more substantive discussion than the systematic overcollection that shut down the system in 2009.


Timeline

July 2010: John Bates rules categories of PRTT data not approved by Colleen Kollar-Kotelly illegal but authorizes the resumption of the PRTT dragnet (though it does not restart immediately).

Around September 10 (probably September 16), 2011: Last reauthorization of Internet dragnet.

October 3, 2011: John Bates rules upstream collection of US person content illegal.

October 13, 2011: Briefing order to respond to Section 1809(a)(2) concerns.

October 17, 2011: Date on draft training program covering both BRFISA and PRTT programs.

October 31, 2011: Government submits new minimization procedures to address problems with upstream collection.

November 22, 2011: Government claims Section 1809(a)(2) doesn’t apply.

November 29, 2011: Government claims it can’t separate out Internet transactions collected under prior minimization procedures, and therefore cannot comply with new minimization procedures, but promises to amend the October 31 MPs to account for this.

November 30, 2011: John Bates approves the October 31 MPs pending changes for the past collection.

Late November: Approval for destruction of data and beginning of destruction.

December 2: Start of observed purge.

December 7: Second step of purge.

December 9: Completion of observed purge and expiration of last Internet dragnet order.

April 2012: NSA makes a “corporate decision” to purge all the upstream collection from prior to October 31, 2011, and “orally informs” the court.


Content notes

[cover] They’ve redacted the date of the report, which I’d WAG was in spring 2012.

[Ellard letter] XThey’ve redacted the data again and the full title (or perhaps date) of the report. If its the title they’ve redacted, it might say something like “NSA repositories.” Correction: The redaction after the title is the internal tracking number of the report. It’s probably something like (STL-10-0004M).

[Ellard letter] The first of numerous caveats that this report only applies to “declared” databases, along with a “disclosed to us” caveat.

[Ellard letter] This says the data was destroyed before the PRTT order expired on December 9, which would put the authorization for that order around September 10.

[1] The dates in the first redaction are probably October 2009 (which may be general) and October 2010.

[1] The second redaction may describe who was targeted with the dragnet (as that’s what similar redactions on the phone side always say).

[1] The third redaction is roughly 15 characters.

[1] The fourth redaction is roughly 10 characters (but doesn’t include the year). That probably dates the decision to sometime after September (which has 9 digits before spaces and a date), and probably means it occurred in the single digits of October, which would take up 9 digits plus spaces before or after, though it’s possible it happened in late October or early November.

[1] The first reason to kill the dragnet.

[2] In the middle of redacted reasons 2 and 4 to kill the dragnet is the paragraph saying NSA could do what it needed with SPCMA and FAA. For some reason it invokes Bates’ October 3, 2011 decision on upstream 702 collection.

[2] It appears the redacted date describing Keith Alexander approving the expiration and destruction of the dragnet is one digit longer than the 9 December date mentioned later in the sentence. This means it has to be either late November — which I’m all but certain it is — or early September.

[2] 2nd use of “declared.”

[3] This page lists the 6 locations of PRTT, which has 4 subsections within the corporate database.

[4] This redaction is the same length as the approval date for destroying the data, meaning it is late November.

[4] Admission that they can’t ensure the data is gone, especially from the Data Acquisition Directorate.

[5] This 6 entry table probably correlates with the 6 locations of PRTT on page 3. The S3 is probably intake systems. The other redacted language describes what part of the structured repositories got destroyed.

[5] Another use of “declared.”

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

8 replies
  1. P J Evans says:

    I’m supposed to believe anything the intelligence agencies say because why?

    (Woolsey is blaming Paris on Snowden. As if.)

  2. Giles Byles says:

     
    “comparisons that we did for the TD systems and databases disclosed to us.”
     
    What does that TD acronym stand for again?  (Search returned 163 meanings.)
     
    table of distribution
    target database
    target dataset
    target detection
    telephone directory
    time dependent
    traffic data
    transaction date
    transmission data
     
    Any of the above?  Don’t know why this is bothering me.  Maybe a mental block.
     
    But frankly I’m more interested in the time-line of when the 702 mechanism came online.  Flying photons filched by feckless fuckheads.  Late 2011 is obviously before Snowden got famous & before the Bluffdale “facility” was ready to be powered up.  Could have happened right in there somewhere.
     
    702 is where the sickening perfidies of our nascent surveillance state are gestating as we sleep.  The metadata “dragnet” is old news & a mere distraction therefrom.

  3. Giles Byles says:

     
    TD would be telemetry data.  Duh.  Of course they know where every bozo’s smartphone is.
     
    Room 641A was 2006.  Binney testified that since then, they’ve bought umpty-nine thousand beam splitters.
     
    Must sleep now.

  4. emptywheel says:

    I should remind that, given Ellard’s uncertainty about whether NSA really nuked this data, in 2012 NSA found 3000 files (it’s unclear what a file is, especially when you’re talking on the scope of “all phone records in the US) sitting on a random tech server. This was data that should have been aged off.

     

    NSA nuked THAT data before anyone could come up with an explanation of what it was, how it got there, and why.

  5. orionATL says:

    this seems to me to be a particularly important document.

    what it demonstrates to me is that the nsa is a lawless organization.

    i mean, literally, an organization that operates without regard to law, outside the law.

    when faced with a judicial order twice repeated, the nsa MAY have destroyed the data invoked by that order, or it may not have. no one knows. no one has sufficient authority or political/policing power to determine whether the nsa has or has not followed the law applied to it, no ones except those officers of the nsa autjorized from within it to know. the adjective “incestuous” somehow comes to mind – maybe “closed-cell” would be less flambouyant.

    put another way, the nsa is, functionally, externally lawless – self-regulating and self-investigating and self-enforcing. even its congressionally mandated inspector general does not have enough authority, or, more properly, is prevented by nsa officers from exercising his congressionally mandated investigative authority.

    i dont know enough specifics to be certain about why this very dangerous situation exists, but i am willing to attribute it to judicial timidity and to entirely unwarranted judicial trust (which may be a function of the fact that the judiciary has no enforcement arm and has no control over its operating budget).

    is there any other such institution in the u.s. federal government?

    • orionATL says:

      i suspect much of the lawlessness of the nsa can be attributed to the flaccid (to the point of incompetence) oversight exercised over the nsa by the senste select committee on intelligence and its chairs, particularly sen diane feinstein.

      it seems well past time for the senate to disband the ssci on the grounds its job can be done by the standing committees and, more importantly, that the ssci has failed to exercise competent oversight over the intelligence gathering agencies nominally under its jurisdiction, particularly the nsa.

      the full damage this failed oversight has done is not now much apparent. it will only become apparent in a time of domestic unrest genersted by a push for change in government. at that point leaders of the push for change will be singled out by electtonic intelligence and have their voices smoothered, cf., fbi intelligence flights over baltimore in spring, 2015 under the guise of crowd control.

      it was largely to protect such new political leadership that the bill of rights – written by those new political leaders who understood personally the ways entrenched power suppresses change – was adopted.

Comments are closed.