Published by The Lawfare Institute
in Cooperation With
Congress has only three months to complete a task that it considers necessary but that is also controversial: reauthorizing Section 702 of the Foreign Intelligence Surveillance Act. Section 702 authorizes the government to target surveillance at non-U.S. persons reasonably believed to be located abroad. Such surveillance can also include their communications with non-targeted U.S. persons. Republicans on the Senate Intelligence Committee, as well as the Trump administration, support permanently reauthorizing the surveillance law as it currently exists. Proponents of a permanent reauthorization argue that there have been no discovered instances of willful abuse or intentional misuse. While true, this misses the different but still fundamental problem of unintentional—not willful—noncompliance.
New America’s Open Technology Institute (OTI) has conducted a thorough review of every declassified document on Section 702 to identify publicly available information about violations of the targeting and minimization procedures. Our study demonstrates that there have been numerous unintentional violations of program rules and shows the extent of noncompliance with the requirements designed to protect U.S. persons’ privacy. OTI has organized the findings of its review in four timelines that allow readers to see details about each violation and its remedy where applicable, and that provide links to the associated primary sources and page citations. The timelines also allow readers to toggle between different types of violations so that they can see a visual representation of their frequency or scale, broken down by incident category.
The timelines illustrate that because Section 702 is so sprawling and complex, and intelligence community analysts are vulnerable to human error, compliance incidents are inevitable. The timeline also shows that unintentional compliance incidents are more likely to be persistent or systematic than individual instances of willful misconduct and can take years to identify and mitigate. As such, the harms that result from unintentional violations can be far more prolonged and cumulatively significant than even intentional violations. Therefore, Congress should enact strong protections in law to reduce the potential for unintentional compliance violations.
While the non-compliance rate is, on average, only approximately 0.5%, the impact on privacy can still be significant because of the high volume of collection under Section 702 and the scale of actions taken with those data, such as queries and disseminations. Indeed, in their semi-annual assessments of Section 702 compliance, attorneys general (AGs) and directors of national intelligence (DNIs) regularly note:
While the incident rate remains low, this percentage in and of itself does not provide a full measure of compliance in the program. A single incident, for example, may have broad ramifications and may involve multiple facilities [e.g. communications accounts]. Other incidents, such as notification delays...may occur with frequency, but have limited significance with respect to United States person information.
AGs and DNIs also note that:
Tasking and detasking incidents often involve more substantive compliance incidents insofar as they can (but do not always) involve collection involving a facility used by a United States person or an individual located in the United States. Furthermore, incidents of noncompliance with minimization procedures are also a focus of the joint oversight team because these types of incidents may involve information concerning United States persons.
OTI’s analysis shows that the vast majority of compliance incidents fall into those categories that pose the greatest threat to Americans’ privacy. These violations pertain to tasking, where a person or account is improperly targeted for surveillance; detasking, where surveillance of a person or account doesn’t stop when it’s no longer authorized; querying, where analysts improperly search for an individual or account-holder’s communications, including those belonging to U.S. persons; and data retention, where data that should have been purged are not deleted as required.
For example, in the 2015 AG and DNI semiannual assessments—the most recent year with publicly available statistics about compliance violations—42.3% of all National Security Agency violations in the first half of 2015 and 58.8% in the second half involved improper tasking. Throughout all reporting periods, these violations most commonly occurred when NSA analysts failed to sufficiently establish that its targets were non-U.S. persons located abroad. Other violations occurred because of poor inter- and intra-agency communication about a target’s U.S. person status or location, typographical errors when entering targeting information, or because of technical errors with NSA systems.
In the same year, detasking violations accounted for 24.3% of all NSA violations through May, and 21.5% through November. Compliance reports and assessments show that detasking violations were usually the result of faulty analyses or misunderstanding procedures, unspecified inadvertent errors, and poor inter- and intra-agency communication about the location or status of a target.
As compared to tasking and detasking violations, overcollection incidents are uncommon, but they significantly harm privacy by collecting communications that do not belong to or concern any authorized surveillance target. One incident is of particular note because it demonstrates how problems with overcollection can be systemic and have substantial effects on privacy. As explained below, the remedy to that incident did not stop continued overcollection and instead focused on how to handle data once it was in government repositories. As a result, the remedy failed to address the privacy concern implicated, and where the remedy could not be sufficiently implemented it led to a different, ongoing violation. This overcollection incident involved upstream “about collection,” which began no later than 2006 and involves the collection of communications that are “about” or reference a target, in addition to communications that are “to” or “from” the target. In the spring of 2011, the government informed the Foreign Intelligence Surveillance Court (FISC) that, as part of its “about” collection, it engaged in significant overcollection where the NSA knowingly and intentionally acquired what it estimated to be tens of thousands of wholly domestic communications annually, though the court noted that the “sheer volume of transactions acquired by NSA through its upstream collection [renders]...any meaningful review of the entire body of the transactions...not feasible.”
The FISC held that the overcollection was unconstitutional and ordered that the NSA temporarily stop upstream surveillance until the government could apply procedures to better protect Fourth Amendment rights. When upstream surveillance was reauthorized, part of the remedy for the earlier violations was that the NSA was required to segregate and limit access to the internet transactions that were most likely to contain non-target information concerning U.S. persons. Specifically, the government was prohibited from running searches for U.S. persons’ communications against upstream data. However, in early 2015 the Inspector General found that the FISC’s remedy had not been effective because—despite efforts to segregate the data—the NSA had been searching upstream data using U.S. person identifiers. The FISC, which was briefed in October 2016, described this incident, which violated the remedy to the 2011 overcollection violation, as “significant noncompliance” and “a very serious Fourth Amendment issue.” In March 2017, the NSA determined that no solution was feasible, so it ended “about” collection and deleted the previously collected data.
This most recent query violation is part of a long history of inadvertent improper searches of Section 702-acquired data for U.S. persons and non-U.S. persons’ communications alike. Declassified documents show reports of query violations going back to 2009. Query violations predominantly involved the NSA and FBI conducting improper searches for U.S. persons’ communications or overbroad searches that were not designed to return foreign intelligence information. For example, in the first half of 2015, 29% of all violations of NSA minimization procedures resulted from overbroad queries that were not reasonably constructed to return foreign intelligence information. No information pertaining to improper queries for U.S. person searches from that reporting period is publicly available. In the second half of that year, 56% of all violations of NSA minimization procedures pertained to improperly searching through Section 702-acquired data. There, just over half of those violations concerned overbroad queries, and just under half concerned improper U.S. person searches.
There is no public information about the total number of query violations intelligence agencies report each year. Public reporting shows that in 2016 the NSA and CIA conducted well over 35,000 queries of content and metadata for U.S. person’s communications. The FBI does not track how many U.S. person queries it conducts, so it is unclear how it identifies violations of query requirements. However, the FBI searches databases that include some Section 702 information for U.S. persons’ communications as a matter of routine, with a frequency the DOJ has compared to Americans’ use of Google.
Concerns regarding query violations also demonstrate the importance of strict compliance with data retention rules. Statistics regarding data retention violations are not publicly available, however, declassified documents reference technical compliance incidents involving data retention and purge requirements. In one case, the government unlawfully collected data for a period of time and requested the FISC to allow it to store and use that data in spite of it being the fruit of unlawful collection. The government proposed that it be permitted to continue storing the data in the two databases where it resided at the time of the request. The court rejected the government’s request. In July 2015, almost five years after the FISC required that the data be destroyed, the government notified the court that they had not been deleted. The court responded to this notification by stating that it was “very surprised to learn” about the government’s failure to delete all data subject to the purge requirement, and that it was even “more disturbing and disappointing” that it took the government so long to disclose the fact that it was intentionally retaining these data. By October 2015, the NSA notified the court that it had still not fully purged the data. Data retention violations often involve technical malfunctions and improper data storage practices. They often persist for years before they are identified, and can take even longer to remedy.
To the extent that information is publicly available, the government has responded to these types of violations by providing additional guidance and training to analysts, improving inter- and intra-agency communication, urging that analysts take more care in entering targeting information and in expediting the detasking of targets, and continually checking and modifying software that manages the access to and retention of data. Yet over the years, the rate of these types of violations has largely remained the same and at times increased significantly. Meanwhile, the scale of surveillance and the number of targets under Section 702 increases each year and so too do the risks of unintentional noncompliance.
Indeed, the Privacy and Civil Liberties Oversight Board acknowledged in its report on Section 702 that “[i]n any surveillance program as large in scope as the Section 702 program, particularly where collection involves highly sophisticated technology, mistakes are inevitable.” More recently, James Baker, the general counsel of the FBI, also addressed the inevitability of compliance violations under Section 702 at a public event, saying that
[P]eople make mistakes. We are a human enterprise involving complex technology…Mistakes are made, we try to correct them, we try to identify them and what went wrong…[Compliance violations are] just unacceptable, but it’s a big authorization with a lot of things going on in a highly changing environment.
To reduce or better mitigate these violations and the attendant harms to Americans’ privacy, Congress should focus on three reforms.
First, the law should require that analysts exercise due diligence to determine that the target is a non-U.S. person reasonably believed to be located abroad. If a target’s U.S. person status or location are unclear, the government should not be allowed to presume that the person is a non-U.S. person located abroad. Such a provision would reduce the number of compliance incidents that involve tasking and detasking violations where the analysts either did not sufficiently establish the foreignness of a target or made an incorrect presumption about their status or location.
Second, Congress should codify the end to upstream “about” collection. It is clear that problems associated with collection of and access to communications that are neither to nor from a target are persistent, implicate significant Fourth Amendment concerns, and often take years to identify and mitigate. Congress should not leave the door open to the NSA to restart this controversial and highly problematic surveillance.
Third, and finally, Congress should require that all analysts obtain a warrant before searching for Americans’ communications in databases containing Section 702 information. Section 702 does not require the government to obtain individualized warrants before collecting communications because targets must be non-U.S. persons located abroad. But, when the government seeks to search through Section 702 data for information regarding Americans, their Fourth Amendment rights should be protected. Requiring judicial review would protect Americans against the risk that their communications are unlawfully or improperly accessed either due to misunderstanding or misapplying complicated internal procedures or because of a failure to delete data subject to a purge requirement. It would also ensure that intelligence community access to Americans’ communications is subject to much-needed and constitutionally required judicial oversight.
Since the inception of Section 702, the privacy community has warned about the privacy implications of the incidental collection of Americans’ communications and how those communications may be accessed and used. The government’s history of unintentional noncompliance animates those concerns. These proposed reforms would reduce the chances of noncompliance, and, as such, are critical to ensuring that Americans’ privacy is adequately protected under Section 702.