Published by The Lawfare Institute
in Cooperation With
As the NSA claimed when it released the reports, the bulk of the suspected violations of applicable policies appear to be unintentional. It is nevertheless difficult to pinpoint the precise scale of the suspected violations: typically redacted from the reports, for example, is any mention of the number of times a certain category of violation occurred.
Below is a high-level look at the problems described in the historical IOB reporting---our generality again owing mostly to redactions in the declassified material. Broadly speaking, the NSA’s reporting describes compliance difficulties in four areas: tasking and/or targeting; querying of collected data; data handling; and training. We note examples of each, in turn.
Tasking and/or Targeting Errors
As part of their work, NSA personnel must “task”---that is, turn the agency’s attention to---certain targets. Naturally enough, one set of violations in the reports comprises “tasking errors,” including the unintentional targeting of United States persons or foreign intelligence targets, and targeting beyond the scope of authorizations granted by the Foreign Intelligence Surveillance Court (FISC) and/or the Attorney General (AG). For the most part, these appear to consist of unintentional human mistakes, made in the course of routine collection. (While the overwhelming majority of tasking errors seemed to stem from human error, the documents make clear that unspecified software problems also did on occasion result in unauthorized collection.)
As for what the human errors looked like: Many of the reports cited typographical or translation muckups that resulted in the tasking of United States persons. NSA personnel also mistakenly identified United States persons as foreign intelligence targets; one presumed foreign intelligence target was, for example, associated with a U.S. person holding dual citizenship (FY 2012, Q2; FY 2009 Q2). In other cases, “selectors” for foreign intelligence targets---that’s NSA lingo for things like numbers or IP addresses associated with particular people---should have been detasked once the target was found to be located in the United States, but mistakenly remained tasked or were mistakenly retasked after surveillance should have concluded (FY 2013, Q1). At times this was due to miscommunication between analysts (FY 2011, Q1; FY 2009, Q2), forgetfulness, or accidental oversight. Other tasking errors arose from failures to conduct sufficient research before targeting individuals who turned out to be U.S. persons or non-U.S. persons that were in the United States (CY 2008), or erroneous tasking of targets due to confusion about the appropriate certification authority required to proceed (FY 2009, Q2). On at least one occasion, analysts tasked U.S. persons after receiving a copy of an NSA request to the AG to target such individuals, not knowing that NSA needed to obtain final AG authorization before conducting the surveillance in question (FY 2004, Q1).
In some instances, analysts even tasked themselves. Some such errors likewise were unintentional, as when an analyst inadvertently requested the tasking of his own personal identifier instead of the selector associated with a foreign intelligence target (FY 2013, Q1; CY 2008). On other occasions, analysts apparently intended to task themselves as targets, mistakenly believing that doing so was acceptable (FY 2012, Q2).
While unintentional violations seemed to comprise the overwhelming majority of identified tasking errors, others seemed less innocent. One soldier in the U.S. army, for instance, used the SIGINT system to target his wife (CY 2009), while an NSA employee also used the SIGINT system to target his foreign girlfriend (FY 2006, Q3). In another case, a U.S. Navy cryptologist admitted to targeting his ex-wife and family members, though no other affirmative evidence was found to substantiate his claims (CY 2008). In yet another instance, an NSA employee revealed during a pre-polygraph interview that he had misused the SIGINT system by conducting unauthorized electronic surveillance of a non-U.S. person abroad for no legitimate foreign intelligence purpose (FY 2005, Q2).
Tasking errors also lastly arose in unusual circumstances involving otherwise permissible surveillance. For instance, an analyst tasked a consenting target retroactively, prior to the consensual collection authorization date (CY 2008). And in at least one instance, an analyst tasked a U.S. person target she suspected would pose an urgent threat, but without first seeking emergency authorization to target the individual (CY 2008).
(Interestingly, the recently unsealed documents also shed some light on tasking undertaken on the NSA’s own initiative---that is, in situations when approvals from the FISC or from the AG were, in agency’s view, not strictly required. For instance, it seems the Director of the NSA approved consensual collection against certain U.S. persons, as is allowed under E.O. 12333; the Director also in several instances approved the non-consensual collection as against U.S. companies owned by foreign governments and U.S. persons known to be agents of a foreign power, among other entities (FY 2006, Q2; FY 2006, Q3). In at least one instance, the NSA invoked the emergency authorization exception to target a U.S. person known to be involved with certain terrorist activities for 72 hours, pending AG authorization to target the individual over a longer period (FY 2005, Q1).)
Database Querying Errors
NSA personnel search for information by querying the agency’s vast databases of collected material. Suspected violations here typically involved overly broad or poorly constructed queries of the NSA’s troves---for example, queries that potentially sought, or in fact returned, information about United States persons in violation of statute, executive order, or NSA policy.
For instance, NSA personnel did not always conduct the necessary research on their selectors before performing submitting database queries involving them (FY 2013, Q1). Analysts also on occasion performed queries containing U.S. telephone numbers, assuming that the queries “had already been properly vetted” but without having personally verified that the queries were in conformity with agency procedures (FY 2010, Q2). Other times, overly broad database queries occurred, not as a result of failure to take proper care in researching the selectors but instead as a result of “misunderstandings of authority” or improper guidance (CY 2009). Several database queries thus included selectors associated with United States persons (FY 2013, Q1), though not all such queries resulted in actual data retrieval. On other occasions, NSA personnel queried a raw SIGINT database (FY 2010, Q2). Database query violations likewise occurred when analysts were honing their skills. For example, a newly assigned analyst performed a query in a raw SIGINT database using his personal e-mail address to “practice” using the system, since it had been over a year since the analyst last had used the database (FY 2010, Q2).
Analysts sometimes used the database to search for information on other analysts. In one instance, an analyst mistakenly queried data related to a co-worker, because the analyst was “not familiar with the database’s user interface” (FY 2010, Q2). On another occasion, an analyst improperly searched for information on eight other analysts in order to “acquire translation metrics for their performance appraisals.” (CY 2008).
Data Handling Errors
In some cases, SIGINT analysts reviewed intelligence databases to which “they improperly retained access from previous assignments.” (CY 2007). Errors also typically arose in interactions between analysts with different levels of authorization. For instance, analysts enlisting the help of other analysts resulted in FISA data being viewed at NSA sites not approved for such data (FY 2009, Q2); in other cases, analysts also accidentally sent FAA data to unauthorized recipients, such as when one analyst sent FAA information via e-mail to a group e-mail list that included some individuals who were not cleared to receive the attached information. In at least one instance, an NSA supervisor mistakenly granted database access to individuals not authorized for access (FY 2009, Q2). Some cases involved forwarding U.S. person identities to unauthorized recipients (FY 2013, Q1). When that happened, remedial steps included cancelling SIGINT product reports entirely or reissuing the reports with the proper minimization standards applied to them. (CY 2007).
Data retention and destruction were issues as well. Analysts often did not remove SIGINT from NSA databases in a timely manner, or simply forgot to purge data from all relevant databases as opposed to one. (CY 2008). In some cases, U.S. person data was improperly retained for some period because the target was believed to be foreign at the time of tasking but was later found to be a U.S. citizen, and NSA analysts failed to request authorization to retain the U.S. person data (FY 2009, Q2). In still other cases, there was incorrect labeling and entry of U.S. identities into databases, which could lead to delayed data destruction. (CY 2009, CY 2010).
The documents lastly describe various training and education shortcomings. By way of example, one report noted the NSA’s Hawaii workforce demonstrated a general lack of understanding of “SIGINT collection, minimization, and dissemination,” though the same report also found that the Hawaii outpost had not engaged in any “questionable” intelligence activities (CY 2008).