I Con the Record Transparency Bingo (3): CIA Continues to Hide Its US Person Network Analysis
As I noted in this post on the single positive hit in a criminal back door 702 search and this post on the inexplicable drop in PRTT numbers, I’m going to clarify things I’m seeing confusion over in the I Con the Record Transparency Report, then do a full working thread.
This year’s report shows a steady increase in the number of metadata searches in raw Section 702 data, a 22% (6,555 query) increase off year.
The graphic admits that these 30,355 queries don’t include the FBI (because the transparency procedures passed by USAF freedom pretty much exempted FBI from everything important). But then further down in the written text, I Con the Record admits that one agency of the IC could not estimate its metadata queries.
As with last year’s transparency report, one IC element remains currently unable to provide the number of queries using U.S. person identifiers of unminimized Section 702 non-content information.
That Agency is the CIA, not the FBI (which isn’t required to count its queries).
We know this from a number of places, including James Clapper’s original report on back door searches to Ron Wyden and the PCLOB 702 report (page 58). PCLOB’s most recent Recommendations update noted that CIA hasn’t implemented the recommendation to track foreign intelligence purpose for queries because it has not yet updated its data management. Nor do ODNI and DOJ review it.
The status of the CIA metadata queries remains the same as reported in the Board’s Recommendations Assessment Report of January 2015, namely with respect to the CIA’s metadata queries using U.S. person identifiers, the CIA accepted and plans to implement this recommendation as it refines internal processes for data management. Thus, the CIA’s new minimization procedures do not reflect changes to implement this recommendation with regard to metadata queries.
U.S. person queries by the NSA and CIA are already subject to rigorous executive branch oversight (with the exception of metadata queries at the CIA), supplying this additional information to the FISC could help guide the court by highlighting whether the minimization procedures are being followed and whether changes to those procedures are needed.
CiA’s metadata-only repository does not have the capacity for documenting why the query is reasonably likely to provide foreign intelligence information. Upon opening the repository, however, users will be met with a pop-up reiterating the query standard and requiring their assent before they may proceed.
I officially bet a quarter that CIA will find a way to count this next year, as by then, many of these queries will have moved to EO 12333 querying, which does not get counted.
So the report on metadata searches only shows what NSA does. Since last year, we have confirmed that these metadata queries include upstream 702 data, which carry their own risks.
And we also now have a sense that those queries are automated. The I Con the Record report explains this is just a good faith effort.
The above is a good faith estimate of the number of queries concerning a known U.S. person that the government conducted of unminimized (i.e., raw) lawfully acquired Section 702 metadata.
That’s because this is done by algorithm and business rule, not by any kind of tracking (I’m guessing because of the way metadata is used to triage newly collected identifiers).
NSA will rely on an algorithm and/or a business rule to identify queries of communications metadata derived from the FAA 702 [redacted] and telephony collection that start with a United States person identifier. Neither method will identify those queries that start with a United States person identifier with 100 percent accuracy.
The privacy community made great celebration about shutting down a phone dragnet that was just used to query 200 or so selectors. Meanwhile, each year the NSA, alone, conducts thousands more such queries (and in a way that likely ties more closely to content searches). And 3 years after people started pressuring it to do so, CIA still doesn’t count how many queries it is doing.
Which likely means CIA is doing a whole bunch of network analysis on US persons that it doesn’t want us to know about.