Cross-posted from Just Security.
Does the NSA minimize Americans metadata? Today’s reporting by the Intercept calls into question whether the NSA minimizes so-called metadata relating to Americans’ digital communications and telephone calls. This is one of the questions I implored the Privacy and Civil Liberties Oversight Board (PCLOB) to get to the bottom of. It is a question that PCLOB Chairman David Medine thought the Board had a definitive—affirmative–answer to. But today’s story shows doubt still plagues our understanding of how the NSA’s information collection affects American privacy.
The Intercept story describes ICREACH, a search interface that enables NSA to effectively share communications metadata as well as foreigners’ communications with 23 U.S. Intelligence Community agencies, including the FBI and DEA. ICREACH provides access to data collected under the authority of Executive Order 12333, as well as databases generated from other collection techniques. The Intercept describes the data shared via ICREACH as “telephony metadata events”, which includes “more than 30 different kinds of ‘metadata’ on Internet communications, phone calls, faxes, text messages, as well as location information collected from cellphones.
The Intercept reporters conclude that the ICREACH databases contain U.S. persons’ telephony metadata. That’s because a memo written in 2006 by then-NSA chief General Keith Alexander explains that the ICREACH project will make “many millions of…minimized communications metadata records” available. Since only American’s communications are minimized, Alexander appears to be talking Americans’ metadata associated with our communications.
If such data is accessible via ICREACH, it means that U.S. persons’ data can be easily searched on a large scale by agencies like the FBI and DEA for their domestic investigations and expands the capabilities of law enforcement agents using—covertly or openly—information gleaned from covert surveillance.
In the past, the IC has assuaged Americans’ concerns on these matters by saying that, even when our data is inadvertently scooped up in foreign intelligence surveillance, it is not subject to analyst review because the information is “minimized”. Minimization procedures differ depending on the NSA’s collection technique, but the term refers to procedures that limit the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons, consistent with foreign intelligence needs. Foreigners’ communications and data are not minimized.
So, what are the “minimized communications metadata records” that ICREACH appears to include? It sounds like, contrary to the public understanding of IC assurances, ICREACH was designed to include the metadata connected to communications to, from, or about US persons. How could this be?
I have hypothesized that NSA does not limit analysts’ access to communications metadata like telephone numbers, email addresses, device identifiers, and location information. That’s because the thirteen-page minimization procedures for section 702 collection only apply to communications. The same is true of the USSID18 procedures. If the IC excludes unshared stored data and other user information from the definition of communications, no minimization rules at all apply to protect American privacy with regard to metadata NSA collects, either under 12333 or section 702.
Now, PCLOB investigated this question when writing its report on section 702 surveillance, which collects US persons’ one end foreign communications to from and about foreign intelligence targets of interest. David Medine pointed out that the report answers this question directly:
“Everything that is collected under Section 702 is treated as a ‘communication’ and therefore is protected by the applicable minimization procedures.” PCLOB report at p. 127 n. 524. As explained elsewhere in the report, the statute itself “requires that all acquired data be subject to minimization procedures.” PCLOB report at p. 50 (emphasis added).
Either the PCLOB is confused, NSA uses a different definition of “communication” for E.O. 12333 than it does for section 702, or Alexander’s phrase “minimized communications metadata records” means something other than the metadata associated with minimized communications.
I think the first and the third possibilities are the most likely. The sentences that Chairman Medine cites in PCLOB report mean different things. Every piece of data may be run through the minimization rules, but if the rules do not dictate that the data be treated a certain way, then it will not be redacted, marked for limited dissemination, or scheduled for destruction. NSA may nevertheless call this “minimized”, in that the minimization rules, which require nothing to be done, have been applied to the data in question. But the data would not be “minimized” in that it would not be redacted, withheld, or deleted. The assertion on PCLOB’s page 127, n. 524 is the one that counts. But the PCLOB report doesn’t cite any testimony, documents, or other authority for the assertion. Given the confusing ways NSA uses language, to put it nicely, I wouldn’t put it past the agency to have misled the PCLOB.
It’s also possible that “minimized communications metadata records” means something other than the metadata associated with minimized communications. But, given the categories of metadata we are talking about, I’m not sure what that would be.
Immediately following the PCLOB report, the Washington Post had a story about how inadequate the NSA’s foreignness determinations and minimization procedures under section 702 are to protect American privacy. Today, the Intercept’s news reporting suggests that the official policy story on metadata collection, sharing and analysis is also off base.