Confirmed: NSA Does Search Section 702 Data for Particular US Person Data
Update: To help Joshua Foust understand this topic, I did a second, really basic version of this post here. So if you’re fairly new to all this stuff, you might start there and then come back.
Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:
With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”
He then cites two letters from James Clapper’s office which I don’t believe have been published.
I’ve seen some people complaining that Ron Wyden and Mark Udall didn’t explicitly describe what Keith Alexander’s lies were in the NSA handout on Section 702 collection (note, as of 1PM, NSA has taken down their handout from their server). I’m okay with them leaving big breadcrumbs instead, not least because until we fix intelligence oversight, we’re going to need people like them who manage to stay on the committees but lay these signposts.
That said, I think people are underestimating how big of a signpost they did leave. Consider this, from their letter:
Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. [my emphasis]
Last year’s SSCI report on extending the FISA Amendments Act strongly implied that the government interpreted the law to mean it could search for records of particular Americans.
During the Committee’s consideration of this legislation, several Senators expressed a desire to quantify the extent of incidental collection under Section 702. I share this desire. However, the Committee has been repeatedly advised by the ODNI that due to the nature of the collection and the limits of the technology involved, it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under Section 702 authority. Senators Ron Wyden and Mark Udall have requested a review by the Inspector General of the NSA and the Inspector General of the Intelligence Community to determine whether it is feasible to estimate this number. The Inspectors General are conducting that review now, thus making an amendment on this subject unnecessary.
Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. [my emphasis]
This passage made it clear that the Intelligence Community had demanded the ability to search on US person data already collected. Wyden and Udall’s letter makes that even more clear.
And the minimization procedures leaked last week support this (though note, these date to 2009 and might have been ruled to violate the Fourth Amendment since, though I suspect they haven’t).
They make it clear that US person communications will be retained if they contain foreign intelligence information (a term not defined in the procedures), including those they collected because (they claim) they’re unable to filter it out.
(1) Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroyed inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information)
The communications that may be retained include electronic communications acquired because of limitations on NSA’s ability to filter communications.
(2) Communications of or concerning United States persons that may be related to the authorized purpose of the acquisition may be forwarded to analytic personnel responsible for producing intelligence information from the collected data.
The procedures make it clear that, with authorization from the NSA Director, even communications entirely between US persons may be retained (see section 5) if they are of significant intelligence value. Communications showing a communications security vulnerability may also be retained (this permission, related to cybersecurity, was not made public in the NSA handout).
And here’s perhaps the most interesting way of keeping US person data.
(1) NSA may provide to the Central Intelligence Agency (CIA) unminimized communications acquired pursuant to section 702 of the Act. CIA will identify to NSA targets for which NSA may provide unminimized communications to CIA. CIA will process any such unminimized communications received from NSA in accordance with CIA minimization procedures …
(2) NSA may provide to the FBI unminimized communications acquired pursuant to section 702 of the Act. FBI will identify to NSA targets for which NSA may provide unminimized communications to the FBI. FBI will process any such unminimized communications received from NSA in accordance with FBI minimization procedures …
This is a kind of collection that Pat Leahy seems to believe escapes review by current Inspector General reviews of the program, as he tried to mandate such reviews in last year’s reauthorization.
The minimization procedures also appear to support Julian Sanchez’ guesstimate of how they could pull up US person contacts, since a phone number or unique name are not explicitly included among the identifiers that would constitute IDing a US person.
Now, all that doesn’t specifically address the other lie Wyden and Udall invoked, which they describe “portrays protections for Americans’ privacy as being significantly stronger than they actually are.” But I think the points I’ve laid out above — particularly the cybersecurity collection that is entirely unmentioned in the 702 sheet — probably lays out the gist of Alexander’s lies.
The government has spent the entire time since these documents were revealed trying to lie to Americans about whether their contacts with foreigners can be retained and read. And those lies keep getting exposed.