ODNI’s Transparency Report: What It Tells Us, and What it Doesn’t

The following is cross-posted from The Classified SectionOpenTheGovernment.org’s new blog on national security secrecy. 

The Office of the Director of National Intelligence has released some statistics on its use of surveillance authorities, fulfilling a promise made last August 30 and reiterated in the White House’s Open Government National Action Plan in December. (They are also essentially the same statistics that the House-passed version of the USA FREEDOM Act requires the DNI to publish—a sign of the extent to which the intelligence community rewrote that bill before it passed the House.)

The ODNI report provides the number of “orders issued” and “targets affected” under section 215 of the PATRIOT Act, section 702 of FISA, FISA’s pen register/trap and trace provision, and other sections of FISA. But one order can authorize collection from tens of thousands of “targets.” More importantly, particularly with respect to section 215 and section 702, the intelligence community can collect and search the communications and metadata of many, many more people than its reported number of “targets.”

Section 702

According to the report, in 2013 the U.S. government collected information pursuant to one court order, which authorized intelligence collection directed at 89,138 overseas foreign targets. A “target” could be an individual, but it could also be “any group, entity, association, corporation, or foreign power”—e.g. Iran, or Wikileaks, or Al Qaeda. Americans cannot be “targets” under section 702, but their communications with targets can be intercepted. It is unknown how many U.S. citizens have been in contact with the 89,138 section 702 targets.

The NSA can also intercept communications about targets, even where the target is not a party to the communication. According to NSA procedures,

in those cases where NSA seeks to acquire communications about the target that are not to or from the target, NSA will either employ an Internet Protocol filter to ensure that the person from whom it seeks to obtain foreign intelligence information is located overseas, or it will target Internet links that terminate in a foreign country.

But ISP filters and targeted internet links are imperfect protections, as explained by the Electronic Frontier Foundation when “about” collection was first revealed. According to EFF, a U.S. citizen sending an email to another citizen about a 702 target could have their communications intercepted by the NSA:

  • if they’re outside the U.S.;
  • if they’re inside the U.S., using Tor, and their IP address looks like it’s outside the U.S.;
  • if they’re inside the U.S., using a VPN, and their IP address looks like it’s outside the U.S.;
  • if they’re inside the U.S. and their IP address doesn’t accurately reflect their location for any host of reasons;
  • if they’re inside the U.S. and their communications are backed up or stored abroad.

The recent ODNI report gives us very little idea of the scope of “about” collection, other than to clarify just how large the pool of “targets” is.

The NSA can also search the information it collects under section 702 for the communications of American citizens, without a warrant and without probable cause. (This is commonly referred to the “backdoor search” loophole. The House of Representatives recently voted to close it, but those provisions are a long way from being signed into law.) To date, the intelligence community has not responded publicly to multiple requests from members of Congress about the number of “backdoor searches” it conducted of section 702 data for Americans’ communications.

UPDATE: Shortly after this post was published, the NSA’s response to a question from Senator Ron Wyden on “backdoor” searches of 702 data was released.)

Section 215 Telephony Metadata

ODNI reports that the NSA queried its huge store of telephone records metadata using 423 selectors, of which 248 belonged to “known or presumed U.S. persons.” That sounds like a relatively small number. But we now know that the NSA acquired records of a massive number of the telephone calls in the United States, and accessed far more than 423 people’s phone records.

The NSA used those 423 selectors to compile a database called the “corporate store,” containing the records of ““all telephone calls within three ‘hops’ of every currently approved selection term.” The Privacy and Civil Liberties Oversight Board (PCLOB) estimated that if the NSA conducted queries using 300 selectors:

during the course of one year the corporate store could acquire the complete calling records of 1.5 million telephone persons…which could encompass records of telephone calls made between these numbers and over 100 million other numbers.

Querying 423 numbers instead of 300 would take the total to over 2 million numbers’ complete call records. (Reducing the number of “hops” from 3 to 2, as the NSA now does but did not last year, will reduce the rate at which new information is added to the “corporate store”.)

There is no time limit on how long call records can be stored in this shadow database; no requirement that the government demonstrate “reasonable articulable suspicion” of a search term’s connection to terrorism before conducting backdoor searches for that term; and no audit trail for such searches. The NSA can apply “the full range of signals Intelligence analytic tradecraft” to “every record in the corporate store,” including combining it with information collected under section 702 of FISA and Executive Order 12333.

Executive Order 12333

ODNI’s report contains no information about the scope of collection under Executive Order 12333, the least understood of the NSA’s surveillance authorities. According to news reports, the NSA collects a huge volume of information under the Executive Order, including Americans’ communications. These programs are not overseen by the Foreign Intelligence Surveillance Court or routinely briefed to Congress (although the Senate Intelligence Committee has reportedly begun an investigation of them).

The transparency report is a small step towards openness–but ODNI is still concealing much, much more than it reveals about the scope of surveillance.

 

Categories: Uncategorized