Stanford CIS

New FISC Pen Register Opinion: It’s Just a Matter of Time Before Somebody Gets Hurt

By Jennifer Granick on

Cross-posted from Just Security.

Once again, the NSA has conducted illegal spying. New documents reveal the National Security Agency’s (NSA) systemic violation of Foreign Intelligence Surveillance Court (FISC) rules for domestic collection and use of Internet metadata. The agency’s hyper-aggressive interpretation of laws meant to balance privacy interests with intelligence needs, rampant violation of FISC imposed rules, and resistance to judicial oversight are shocking. But the documents also suggest mass surveillance can never be performed safely, regardless of good faith human efforts.

Last week, the federal government declassified and released thousands of pages of documents in response to Freedom of Information Act requests from the ACLU and Electronic Frontier Foundation. Among these documents were two FISC opinions related to the NSA’s collection and use of Internet metadata.  The first opinion was in 2004 from Judge Claire Kollar-Kotelly authorizing the NSA to collect in bulk under the pen register statute so-called Internet metadata.  This opinion is critical, even though the collection it authorized is now discontinued under this particular legal authority.  This was the first time a FISC judge authorized bulk collection of data under the pen register statute, and it was subsequently used as the legal foundation for FISC approval of the NSA’s bulk collection of Americans’ calling information under section 215 of the USA PATRIOT Act.

The declassified portion of this heavily redacted opinion is flatly disturbing. Despite addressing critical issues of first impression, the opinion offers “head-scratching” statutory analysis, failure to comprehend how Internet transactional data differs from phone numbers dialed on the plain old telephone system, and based on that misunderstanding, a faulty decision that the 1979 case of Smith v. Maryland means the Fourth Amendment doesn’t protect Internet metadata. It is also disturbing that the government argued that the FISC’s much vaunted “oversight” of the agency’s novel bulk collection program should be limited to reviewing whether it had merely recited the proper certification words under the pen register statute, and that the FISC is barred from any substantive review of whether the government certification is founded in either law or fact. (Page 26).

Much of Judge Kollar-Kotelly’s discussion of the categories of metadata the NSA wanted to collect is redacted. However, my guess from the declassified legal analysis is that the NSA was asking Kollar-Kotelly for authorization to collect data not directly related to emails or other messages–which could include geolocation data, unique identification data, passwords, address books, contact lists, encryption keys, search queries, or cookie data–under the exceedingly low pen register standard.

Whatever categories of information the government wanted, Kollar-Kotelly concluded that some of the requested categories were the contents of communications between the Internet user and her service provider and, therefore, off limits. For the other categories, which included email to and from addresses, she issued the authorization order, along with a detailed set of post-collection regulations meant to minimize access to and use of U.S. person data.

Fast-forward a redacted number of years, but most likely to 2010, six years later.  Turns out, the NSA violated Kollar-Kottelly’s order from the very beginning by collecting more data than it was authorized to obtain, perhaps the very data Kollar-Kottelly found were communications contents and off-limits. According to Judge John D. Bates, this over collection continued for years, even though the agency had repeatedly erroneously assured the FISC that it was following the rules.

Notwithstanding this and many similar prior representations, there in fact had been systemic overcollection since [redacted]. On [redacted] the government provided written notice of yet another form of substantial non-compliance discovered by NSA OGC on [redacted] this time involving the acquisition of information beyond the [redacted] authorized categories. … This overcollection, which had occurred continuously since the initial authorization in [redacted] included the acquisition of [redacted]. (Bates opinion at p. 20).

The government “provided no comprehensive explanation” of how such substantial overcollection happened for so long and despite its reports to the contrary.  The NSA provided, Judge Bates wrote, “only the conclusion that [redacted] [‘]there was a failure to translate the technical requirements’ [redacted] ‘into accurate and precise technical descriptions for the Court.’ [partially redacted citation]”

NSA had also queried the collected data without the required reasonable suspicion to do so. The agency also had disclosed U.S. persons’ data to other intelligence and law enforcement agencies in violation of the rules and without authorization from the appropriate parties to do so. Upon learning of this mistake earlier that year, Judge Reggie Walton had asked NSA to provide “a full explanation” of why the dissemination rule had been disregarded. (Bates opinion at 19). As Judge Bates put it:

In response to the later requirement, the government merely stated: “Although NSA now understands the fact that only a limited set of individuals were authorized to approve these releases under the Court’s authorization, it seemed appropriate at the time” to delegate approval authorities to others. The government’s explanation speaks only to the identity of the approving official, but a substantive determination regarding the counterterrorism nature of the information and the necessity of including U.S person information was also required under the Court’s orders. (citation). It appears that for the period preceding the adoption of the weekly reporting requirement [at Judge Walton’s request, probably in 2009], there is no record of the required determination being made by any NSA official for any dissemination.  As far as can be ascertained, the requirement was simply ignored.

In other words, for six years the NSA was collecting in bulk multiple categories of Internet communications data concerning U.S. persons and others, including categories that the FISC had not approved, and what may have included geolocation data, identifying information, passwords, address books, and encryption keys. Then, the agency’s lower level officials and analysts were blithely sending that information to other intelligence agencies and to law enforcement regardless of whether it was related to counterterrorism or not.

How could this have happened? Judge Bates does not know, since the NSA refused to provide the FISC with a “meaningful explanation”. (Bates opinion at p. 95). However, he charitably writes, “it seems likely that widespread ignorance of the rules was a contributing factor.” (Id.)

The NSA’s failure to comply with the Internet metadata collection rules is just one of three such known failures by the agency in the context of its novel exercise of surveillance powers directly impacting American privacy.

As we already learned, right from the start, the NSA failed to comply with limitations the FISC imposed on its use of Americans’ telephone call records collected under a similarly novel, and erroneous, interpretation of section 215. The agency was only supposed to search for telephone identifiers that satisfied a reasonable articulable suspicion (or RAS) standard. Instead, as numbers rolled into the database, analysts compared the information on a daily basis with non RAS-approved numbers on an Alert List. The “Alert List” contained 17,835 numbers, of which only 1,935 met the FISC’s RAS-approved requirement. If there was a hit, then the NSA analysts would look to see if they had RAS-approval for the altering number.  If they did, they would conduct contact-chaining – three hops analysis – on the Americans’ flagged number.

So, the NSA did not have an approved factual basis for 89% of the numbers they used to search the phone records data. And, the NSA’s illegal practice continued from 2006 until 2009. Only then, did the NSA inform the FISA Court about it.

At that time, the Director of the NSA General Keith Alexander explained to Judge Walton that the reason the NSA kept making false reports to the FISC was because key personnel did not understand what the analysts were doing.  And once those key people knew what analysts were doing, they were unaware that that information was not accurately represented in the NSA’s reports to the FISA Court. His declaration explains: “It appears there never was a complete understanding among key personnel who reviewed the report for the SIGINT Directorate and the Office of General Counsel regarding what each individual meant by the terminology used in the report.  Once this initial misunderstanding occurred, the alert list description was never corrected since neither the SIGINT Directorate nor the Office of General Counsel realized there was a misunderstanding.  As a result, NSA never revisited the description of the alert list that was included in the original report to the Court.  Thus, the inaccurate description was also included in the subsequent reports to the Court.” Page 18 of March 5, 2009 Declaration of Alexander. So false reports just kept getting filed for years.

In sum, what was going on what just too complicated for any one person in the NSA to understand.

The third serious violation involved NSA’s collection of communications content under section 702 of the FISA Amendments Act. As Christopher Sprigman and I wrote in Forbes, the NSA misled the FISA court for over three years about the fact that every year the NSA is collecting at least 50,000– and possibly many more – purely domestic communications between innocent Americans who have no foreign connections and are suspected of no crimes.

Since 2008, the FISA court was under the impression – courtesy of the NSA’s assurances in numerous submissions to the court – that the agency’s surveillance system pulled one message at a time out of the ocean of data flowing over fiber optic cables, and that the procedures the NSA used to select messages for collection prevented domestic acquisition except for “theoretically possible” cases.

To the contrary, NSA regularly captures what the agency calls “Internet transactions. ”  An “Internet transaction” may be comprised of a single message –  an “SCT”, in NSA-speak.  But Internet transactions often contain multiple messages – the agency refers to this bundle of messages as an “MCT”. If only one message in an MCT is responsive to the NSA’s targeting terms, the NSA devices nonetheless pull the entire package of messages into the NSA databases. This new information “fundamentally alter[ed]” the FISC’s understanding of the scope of NSA collection under section 702.

The public still doesn’t know how many purely domestic messages the average MCT might contain.  In a press conference call following declassification of the court opinion revealing this problem, the Office of the Director of National Intelligence (ODNI) gave the example of an email In Box. The official said:

One example of [an MCT] is if you have a webmail email account, like Gmail or Hotmail or something like that, you know that when you go and you open up your email program, a screenshot of some number of emails that are sitting in your inbox. In the case of my server, what I get is the date of the email, the sender, the subject line, and the size of the email message. But I may get 15 of them at one time.

Based on this description, would a single MCT also include the transmission by Gmail of my entire email inbox, thousands of messages, when I log on? How about my whole address book, if it included the email address of a foreign intelligence target? Would it include everyone’s data when transmitted between service provider data centers?

The NSA also revealed to Judge Bates that it frequently collects single communication transactions (SCTs) just because they are about a target. The judge “expressed concern that this category of transactions might also contain wholly domestic communications”. Rather than “provide the Court with an estimate of the number of wholly domestic ‘about’ SCTs that may be acquired through its upstream collection”, NSA merely reported that “the probability of encountering wholly domestic communications in transactions that feature only a single, discrete communication should be smaller — and certainly no greater — than potentially encountering wholly domestic communications within MCTs.” While we don’t know the scope of overcollection in any particular MCT, by its own count, the NSA collects thousands such packages every year that improperly contain purely domestic messages– categorically off-limits under U.S. surveillance law. Further, MCTs can and will contain messages that have nothing to do with foreigners or foreign intelligence.

Based on the internal auditing the NSA did provide, Judge Bates made his own back of the envelope calculation, and puts the number of improperly collected American messages at approximately 56,000 a year.

In this 2011 opinion, Judge Bates described the NSA’s pattern of lying to the FISC, identifying three instances in as many years, which we now believe are relate to all three suspicionless domestic spying programs that we now know about. In Footnote 14, the clearly outraged judge said not only had it misled the court about its domestic overcollection under section 702, the NSA had misrepresented so frequently and systematically how it conducted its program to collect and query Americans’ phone call records that the agency had utterly subverted the Court-mandated oversight regime. (That footnote contains a redaction that is probably about the Internet metadata collection under the pen register statute, and, if so, should probably be declassified and released in full now.)

In sum, we see a very aggressive executive agency pushing the FISC hard for novel and expansive spying powers, winning that authorization despite misrepresentations and resistance to oversight, and then repeatedly transgressing restrictions the FISC sought to impose on the NSA’s exercise of those powers.

There are ample reasons to believe that such systematic violations are not just accidents, but reckless or even intentional disregard for oversight, the rule of law, and individual privacy interests. The FISC itself suggested in connection with both the section 702 overcollection and the pen register overcollection that the NSA was potentially in violation of criminal law.

But the current focus on “intent” –whether DNI Clapper and DIRNSA Alexander intentionally lied, whether NSA analysts are hard-working patriots– misses a more important lesson we might learn from these revelations.  Unintentional mistakes are business as usual in complex surveillance systems, and where mass surveillance is the practice, the mistakes will invade the privacy of tens of thousands–or hundreds of millions–of people.

Charles Perrow, an emeritus professor of sociology at Yale University, and visiting professor at Stanford University, writes about the impact of large organizations on society.  His work focuses on regulation of risky, complex technical, economic, and bureaucratic systems such as nuclear power plants in hopes of making them less risky. Perrow’s insights include the fact that accidents are inevitable in tightly coupled, highly complex systems. Sometimes, major disasters are the result of failed regulation, ignored warnings, inept response to failure, and commonplace human error. But, despite the best attempts to forestall them, “normal accidents” will inevitably occur in complex, tightly coupled systems of modern society, resulting unpredictable, cascading disaster.  In sum, some complex systems with catastrophic potential are just too dangerous to exist, because they cannot be made safe, regardless of human effort.

According to Perrow, a normal accident typically involves interactions that are “incomprehensible for some critical period of time.” The system is so complicated, the people involved are not notified quickly enough that things are going wrong. In this kind of system, larger inexorable forces are often more important than the good intentions of any individual. Disastrous mistakes will happen, no matter how well-trained or well-intentioned personnel may be, no matter what safeguards you try to place on the system.

By NSA’s own admission, their surveillance practices are too complex for them to understand themselves.  Alexander repeatedly excused the agency’s misstatements to the FISC on the grounds that NSA’s people did not understand the technology, did not understand the rules, and did not understand who was telling what to whom.  I assume this is meant to be an excuse.  But actually, it might be a far more intractable indictment of the path we’ve embarked on when this nation first started secretly allowing mass surveillance. Suspicionless spying has expanded the dangers to society from domestic political oppression, international privacy invasion, identity theft, stalking, and other data misuse faster than we have developed our collection of tools, practices, and talent to control it.

Read the minimization procedures, especially if you are a lawmaker or a federal court judge.  Do you understand them?  Do you understand the different ways that NSA analysts are allowed to use different repositories of different kinds of metadata collected from different places under different legal authorities? Couple that with content surveillance, collection of other kind of information. Could you competently oversee this? Do you have faith that Congress, FISC judges, or an independent constitutional/privacy advocate can?

It may be time to face the fact that data collection this vast and this complicated will inevitably, regularly and routinely violate the rules, invade Americans’ and other peoples’ privacy, and be misused and abused.  To paraphrase Berkman fellow Camille Francois, we have technically, legally and politically allow the creation of a massive surveillance platform and we are depending on secret, complicated and arcane regulation and internal oversight to hope no one comes to use this weapon against our freedoms. It is possible that such a system that may be consistent with democracy if only it had better regulation, more oversight, more specialized technology, the ability to learn from mistakes, and better trained officers and analysts. If legislation, regulation and oversight are going to provide important democratic and commercial safeguards against the dangers of surveillance, we need to go much, much bigger. We will also need to keep the rules simple enough that the NSA can’t twist them beyond recognition, and well-meaning analysts, Congress, FISC judges and the public can follow along.

But perhaps we see a system way too big and complicated to govern. Not that long ago, this country interned over 100,000 citizens just because they were Japanese. Our Federal Bureau of Investigation wrote a terrifying letter to Dr. Martin Luther King, Jr. How much broader, more effective, and frightening could these atrocities have been if the government had been collecting search histories, geolocation data, calling records associates, friends and family, address books, and contact lists? If we’ve built a surveillance system that is too big and complicated to govern, where no one really understands what is going on, “normal accidents” will happen, and when they do, because of the scale of surveillance, the impact of the mistakes will be huge.

Published in: Publication , Other Writing , Privacy , NSA , FISC