As the Snowden leaks about NSA surveillance continue to trickle out, it's easy to miss the fact that the NSA is now releasing hundreds of pages of damning documents about its activities. They're not doing it voluntarily: the Snowden leaks allowed the Electronic Frontier Foundation and the ACLU to wave away a decade's worth of administrative stalling and secure a major court victory that triggered the releases.
The latest bunch of docs reveal that "since the earliest days" of the NSA's program of bulk phone-record collection, it broke the law enthusiastically and repeatedly. When confronted by a judge in the secret FISA Court — the only practical oversight for NSA spying — the NSA told the judge that the reason they were breaking the law is that they'd designed a system so compartmentalized and complex that no one at the NSA actually understood how it worked, leading to the accidental violations of the law.
One such violation was the establishment of an automated "alert list process," by which the NSA sucked phone-numbers into its data-mining operation, something it was only supposed to do under court supervision. Instead, they ingested thousands of Americans' phone records, allowed personnel to query those records, and handed those records over to other agencies.
It got so bad that the judge in charge nearly ordered them to halt their phone record gathering process altogether, but did not. The NSA admits that none of this surveillance ever prevented a terrorist attack. The program continues to this day.
In the most serious incident uncovered today, the NSA set up an automated system to add phone numbers to its data-mining watchlist. That system, called the "alert list process," completely bypassed the court-ordered review process, in which NSA personnel were supposed to ensure that nobody was monitored without "reasonable articulable suspicion" that they were tied to a foreign terrorist group or intelligence agency.
Between 2006 and 2009 some 17,835 phone numbers were queried, but only 1,935 of these were based on a RAS standard, as required by the court's order.
"Thus, since the earliest days of the FISC-authorized collection of call-detail records by the NSA, the NSA has on a daily basis, accessed BR metadata for purposes of comparing thousands of non-RAS approved telephone identifiers on its alert list against the BR metadata in order to identify any matches," according to a March 2009 declassified FISA court opinion.
In addition to the alert list gaffe, individual analysis were found to be running searches on phone numbers not cleared by the RAS process.
When it learned of the violations, the intelligence court considered ending the program. But the government changed its processes, and persuaded the court to allow the collection to continue. The FISA court hears arguments only from government lawyers — so there is nobody arguing the other side.
NSA Illegally Gorged on U.S. Phone Records for Three Years [David Kravets, Kim Zetter, Kevin Poulsen/Wired]
In 2009, Walton wrote that since the NSA had accessed phone records metadata in an unauthorised manner "on a daily basis". The judge said that Alexander's explanation of the NSA's "non-compliance with the court's orders," which centered around an apparent misunderstanding by the NSA of what data was governed by privacy protections, "strains credulity".
He wrote: "Such an illogical interpretation of the court's orders renders compliance with the RAS [reasonable articulable suspicion] standard merely optional."
The NSA had told the court that "from a technical standpoint, there was no single person who had a complete understanding of the BR [Business Records] metadata architecture."
Walton found that the government's "failure to ensure that responsible officials adequately understood the NSA's alert process, and to accurately report its implementation to the court, has prevented, for more than two years, both the government and the [Fisa court] from taking steps to remedy daily violations" of Americans' privacy.
In fact, Walton, who lamented the court's inability to independently assess the NSA's claims of compliance, appears in 2009 to have considered ending the bulk phone records collection entirely.
NSA violations led judge to consider viability of surveillance program [Spencer Ackerman/The Guardian]