NSA spy program ignored rules designed to protect privacy

Summary:One US spy program had been approved, but only with careful considerations to privacy, but once the NSA began using it, they ignored the rules designed to protect the innocent.

Serious concerns over the US National Security Agency's (NSA) electronic tapping procedures — or Pen Register and Trap and Trace (PR/TT) provisions — had been raised by the Foreign Intelligence Surveillance Court (FISC) at its inception, but ultimately passed in the interests of national security.

But after being approved, the NSA broke the conditions that it was meant to adhere by and shared unfiltered information with other agencies.

The revelations come from court opinions, which form just two of a cache of documents released by the US Office of the Director of National Intelligence on Monday. The documents include training and guidance documents followed by the NSA, how information is filtered — or "minimised" — to ensure US Persons are protected, and the two court opinions from the FISC.

nsaredact
Both opinions were heavily redacted. (Screenshot by Michael Lee/ZDNet)

The first opinion (PDF) is signed by the then-presiding FISC judge Colleen Kollar-Kotelly who essentially approved the PR/TT program, but reveals she held deep reservations about the government's ability to overreach.

"The raw volume of the proposed collection is enormous," she wrote.

"In absolute terms, the proposed surveillance 'will result in the collection of meta data pertaining to [redacted] electronic communications, including meta data pertaining to communications of United States persons located within the United States who are not the subject of any FBI investigation.'"

The concern for the invasion of privacy is in contrast to the NSA's own draft reports in which Kollar-Kotelly had appeared to simply rubber stamp the program. When the classified report was leaked, Kollar-Kotelly had told the Washington Post that FISC had not coordinated with the NSA to simply pass the program through without the perceived lack of checks and balances.

The opinion reveals that Kollar-Kotelly weighed up several factors against each other, examining, for example, national security interests that went "beyond the normal need for law enforcement"; that metadata is not considered to be protected under the Fourth Amendment; that any intrusion of personal privacy would be minimised by restrictions on restrictions placed on accessing the information; whether the government had chosen a reasonable effective method of addressing the need for the information; and the immediate need for such information.

She finally summarised that any invasions of privacy would be minimal and overall, in the nation's greater interests.

"The bulk collection proposed in this case is analogous to suspicionless searches or seizures that have been upheld under the Fourth Amendment in that the Goverment's need is compelling and immediate, the intrusion on individual privacy interests is limited, and bulk collection appears to be a reasonably effective means of detecting and monitoring [redacted] related operatives and thereby obtaining information likely to be [redacted] to ongoing FBI investigations."

However, the second opinion (PDF), signed by US FISC judge John Bates after the program was suspended for non-compliance issues, shows that the NSA had been grossly abusing the powers available to it under the PR/TT program.

The government has provided no meaningful explanation why these violations occurred, but it seems likely that widespread ignorance of the rules was a contributing factor

Bates' opinion reveals that the government had been using an automated method that to query telephone numbers for metadata without considering the necessary "reasonable articulable suspicion" standards that protect those that should not be subject to surveillance.

Other NSA analysts had also received results that had not yet been minimised to screen out unnecessary personal information. The government later justified this act by stating that sharing unminimised information with analysts not cleared under the PR/TT program was "critical to the success of NSA's counterterrorism mission." FISC judge Reggie Walton later approved the activity under the proviso that analyst undergo further training.

Information from the program was also placed into a database that was made accessible to other US agencies. These agencies included about 47 analyst from the FBI, CIA and the National Counterterrorism Centre. Bates' opinion notes that these analysts accessed unminimised US Person information.

The database was not an isolated incident. According to the opinion, NSA analysts "made it a general practice to disseminate to other agencies NSA intelligence reports containing US Person information extracted from [the program]."

Bates' opinion showed that "since the initial authorisation" of the program, the NSA had overstepped the bounds of what it was allowed to collect and that almost every record acquired under the program "included some data that had not been authorised for collection."

He notes in particular that the "NSA generally disregearded the special rules for disseminating United States Person information outside of NSA until it was ordered to."

"The government has provided no meaningful explanation why these violations occurred, but it seems likely that widespread ignorance of the rules was a contributing factor."

Director of National Intelligence James Clapper states in the release of the documents that the PR/TT program had been discontinued, yet as recently as June 2013, former secure email provider Lavabit had been ordered to track one of its customers , rumoured to be Edward Snowden, using the same PR/TT procedures. Rather than comply, Lavabit ceased operating as a business and is now

Topics: Security, Government, Government : US, Privacy

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.