NSA Internet Metadata Program Collected More Than Was Allowed, Shared Data Too Broadly

A now-defunct National Security Agency (NSA) bulk collection program that collected information about online communications exceeded its authority, collected too much, and shared that information too freely, recently declassified court documents show.

The program collected, according to the official IC On The Record Tumblr page, “certain electronic communications metadata such as the ‘to,’ ‘from,’ and ‘cc’ lines of an email and the email’s time and date.” The compliance issues detailed below are generally self-reported, and thus cannot be treated as the full extent of the NSA’s overreaches of its authority during the life of the particular program.

The government, the document indicates, “acknowledges that NSA exceeded the scope of authorized acquisition continuously during the more than [redacted] years of acquisition under [the] orders.”

According to the document, the Foreign Intelligence Surveillance Court (FISC, which in this post is referred to as the FISA court) authorized the NSA to “engage in the bulk acquisition of specified categories of metadata about Internet communications.” Queries were to be executed through the use of “seed” accounts, which the material defines as “Internet accounts for which there was a reasonable articulable suspicion (‘RAS’) that they were associated with a targeted international terrorist group.”

For United States persons, the FISA court document notes that RAS “could not be based solely on activities protected by the First Amendment.”

The document also notes that the “NSA could disseminate U.S. person information to other agencies only upon determination by a designated NSA official that it is related to counterterrorism and is necessary to understand the counterterrorism information or to asses its importance.”

Why did the NSA need to collect so much information? The document is at times heavily redacted, and so the reasoning here is choppy. The below screenshot contains the section that details the argument for the bulk collection in question:

Screen Shot 2014-08-12 at 5.09.23 PM

An initial episode of unauthorized collection — filed as a Notice of Compliance Incidents — stemmed from what the government described as a lack of knowledge among NSA employees who then miscommunicated with [redacted] parties, whom I suppose to be contractors.

The court asked the government if information other than metadata had been collected. It was told that no other types of information had been. The document dryly notes that “this assurance turned out to be untrue.”

In what appears to be a later incident — all numerical dates are redacted in the document — a “typographical error” also led to “unauthorized collection.”

Threes’ Company

In the language of the document, the “next relevant compliance problems surfaced in [redacted] year” and touched on “accessing metadata,” the “disclosure of query results and information derived therefrom” and “overcollection.” In short, three separate ways that the NSA managed to exceed its authority in its operation of the program.

After the government disclosed that the “NSA had regularly accessed the bulk telephone metadata using a form of automated querying based on phone numbers that had not been approved under the RAS standard,” the FISA court “ordered the government to verify that access to the bulk [Internet] metadata complied with comparable restrictions.” In short, because the government had overstepped in a similar program, it was pressed to show that with the Internet communications metadata, it had not.

The government came back and said that a “discontinued” query practice that did not square with the RAS system had existed. The NSA promised to go through its Internet communications metadata program to stiffen compliance. A bit late, perhaps.

Continuing the year’s compliance issues, NSA analysts who “were not authorized to access” the Internet communications metadata “directly nonetheless received unminimized query results,” according to the court.

The NSA also admitted to “placing [query] results into a database accessible by other agencies’ personnel without the determination, required for any U.S. person information, that it related to counterterrorism information and was necessary to understand the counterterrorism information or assess its importance,” another breaking of the rules.

The NSA, according to the court, also “made it a general practice to disseminate to other agencies NSA intelligence reports containing U.S. person information extracted from the [Internet] metadata program without obtaining the required determination.” So, the NSA was more than willing to share information about U.S. citizens with other agencies, not in keeping with the rules set down to government the program that collected the data, or its sharing.

According to the FISA court, the government “simply ignored” the dissemination rules in place.

And finally, regarding overcollection, the government filed “yet another form of substantial non-compliance ” relating to the collection of “information beyond the [redacted] authorized categories.” Apart from the other types of data that were collected, the government said that “[v]irtually ever [Internet] metadata record” that was collected — and here now according to the court — “included some data that had not been authorized for collection.”

The FISA court document deadpans that the “government […] provided no comprehensive explanation of how so substantial an overcollection occurred.” The document also says that the government [said] nothing about how the systemic overcollection was permitted to continue.” Or, put another way, the government didn’t break down how it managed to get it so wrong, for so long.

Citing the massive failure of the NSA to stay within its lanes, the court determines that “those responsible for conducting oversight at the NSA failed to do so effectively.”

Call it the understatement of the year.

In short, the NSA was given the capability to collect bulk Internet communications metadata, subject to restrictions on who could access the data, how it could be shared, and precisely what sort of information could be acquired.

In each case it broke the rules, collecting too much, allowing unauthorized parties to search the pooled data, and sharing it too broadly without adequate protections.