Naughty NSA was so drunk on data it forgot collection rules
Declassified court docs show systematic breaches over [REDACTED] years
Declassified documents from America's Foreign Intelligence Surveillance Court (FISC) shows that even the NSA didn't know the limits of what it was supposed to collect, and overstepped its authorisations for years.
The documents were released to the Electronic Privacy Information Centre in response to an FOI request, and record FISC judges' disquiet about the program. Seeking a renewal for the NSA's use of “pen register and trap and trace (PR/TT)” devices in US networks to collect subscriber metadata, the papers note that “the government acknowledges that NSA exceeded the scope of authorised acquisition continuously during the more than [REDACATED] years of acquisition under these orders”.
The court says NSA's overcollection of metadata was “systematic” over a number of years.
Referring to the “serious compliance problems that have characterised the government's implementation of prior FISC orders”, the documents indicate that non-compliance was a frequent problem, with the government notifying the court of NSA breaches both in the over-collection of data and the disclosure of data to other agencies beyond the court's authorisation.
Rather than sift through the entire dataset to work out what was compliant and what was not, the court notes, the NSA at one point decided to flush it all and start again: “NSA had eliminated access to the database that contained the entire set of metadata, and repopulated the databases used by analysts to run queries so that they only contained information [REDACTED] that had not been involved in the unauthorised collection”.
Later still – but still with the dates redacted – the NSA managed a trifecta, with the court noting another round of compliance breaches relating to access to metadata; disclosure of query results; and overcollection (again).
While the details are still sketchy and redacted, it looks to The Register as if someone wrote an over-enthusiastic script: “the NSA had regularly accessed the bulk telephone metadata using a form of automated querying based on telephone numbers that had not been approved under the RAS standard” (RAS means “reasonable articulable suspicion”, that is, only persons suspected of association with international terrorist groups could be swept up in the PR/TT dragnet).
“Those conducting oversight at NSA failed to do so effectively”, the documents state.
Interestingly, the documents also reveal that the FISC court regards the line between “data” and “metadata” as blurry.
Early on, it cites this definition: “metadata is information 'about the communication, not the actual communication itself'”, which includes “numbers dialled, the length of a call, internet protocol addresses, e-mail addresses and similar information concerning the delivery of a communication rather than the message between two parties”.
So where does a URL sit in the FISC's view?
“In the context of Internet communications, a Uniform Resource Locator (URL) – 'an address that can lead you to a file on any computer on the Internet' – constitutes a form of 'addressing information' under the ordinary meaning of that term. Yet, in some circumstances a URL can also include 'contents'”, the papers state. ®
Sponsored: Becoming a Pragmatic Security Leader