NSA document details foreign intel databases
The intelligence agency delves into some details about how it collects, stores and accesses data but leaves many key questions unanswered.
The National Security Agency says it is not targeting people inside the United States for surveillance through its efforts to collect foreign intelligence, according to an unclassified report explaining how NSA implements its authorities under Section 702 of the Foreign Intelligence Surveillance Act.
However, information on citizens and residents becomes part of NSA's collections under Section 702, leading to questions about whether the agency uses its foreign intelligence authority to conduct warrantless, "backdoor" surveillance on U.S citizens.
The new document tracks closely with the testimony by top intelligence community lawyers at a March meeting of the Privacy and Civil Liberties Oversight Board, at whose request the unclassified NSA report was prepared. But it leaves many key questions unanswered, and the language is vague at times.
In the document, NSA delves into some details about how it collects, stores and accesses data collected under two of the programs revealed by former intelligence contractor Edward Snowden. It offers a look at how NSA analysts access data on the agency's systems, how analysts are trained to use the systems and the procedures in place to comply with privacy restrictions in the FISA statute.
Communications supplied to NSA by Internet companies are stored across "multiple NSA systems and data repositories." Although there isn't much in the way of specifics, the report indicates that one system might contain the content of communications -- such as text, audio and video -- while another system might store only the metadata associated with those communications -- such as the header information on an email message with to, from, subject and date information.
Under the program known as Prism, the FBI makes requests on behalf of NSA using "selectors" for individuals, such as phone number, email address and other identifiers. Companies are required to turn over communications to or from such selectors to NSA. The Upstream program, which intercepts communications from the Internet backbone rather than individual companies, can target selectors sending and receiving communications, as well as communications that reference or are about targeted selectors.
Under certain circumstances, NSA analysts are permitted to query databases using the email addresses, phone numbers and other identifiers of U.S. citizens and legal residents. That practice has been especially controversial because the section of intelligence law on domestic surveillance requires the order of a secret court to spy on U.S. citizens and those legally residing in the United States.
NSA claims that such queries must either be "reasonably likely to return foreign intelligence information" or be linked to an "imminent threat to life." As a practical matter, NSA analysts have more often queried metadata than the contents of communications. To go after content requires additional layers of approval. Furthermore, NSA may not query data collected under the broad Upstream program for citizen or resident identifiers. It's not clear from the document whether other agencies with domestic authorities could access information on citizens or residents under certain circumstances.
Finally, the report offers a look at what happens to "unevaluated" communications that are stored in NSA systems.
Upstream collections are retained for a maximum of two years, while the Prism collections are stored for up to five years. The report explains that information on U.S. citizens and residents may be destroyed if it's not relevant to NSA's purpose and includes no evidence of a crime. There are also provisions for destroying communications collected on selectors when they are determined to be inside the United States.