NSA violations of FISC electronic communications metadata orders

On November 18, 2013, the DNI released a heavily redacted opinion by FISC Judge John D. Bates, even the date and docket number of which were expunged, that relates a history in which “[a]s … the government acknowledges[,] … NSA exceeded the scope of authorized acquisition continuously during the more than [redacted] years of acquisition under these orders [authorizing the collection of Internet metadata under the pen/trap provision of 50 U.S.C. Sec. 1842].” The continuous violations involved (i) collecting information beyond the scope of the definition of metadata in the FISC orders, (ii) using seeds for which the requisite reasonable articulable suspicion had not been found (“non-RAS-approved” seeds) to query the Internet metadata database, especially non-RAS-seeds involving US persons, (iii) disseminating unminimized query results to NSA agents who were not authorized to access Internet metadata, and (iv) placing unminimized query results in databases accessible to other agencies and providing intelligence reports to other agencies that did not properly minimize US person information.

Notwithstanding the NSA’s history of violations, Judge Bates granted, albeit subject to modifications, “[t]he current application, [even though] in comparison with prior dockets, [the government] seeks authority to acquire a much larger volume of metadata at a greatly expanded list of facilities, while also modifying – and in some ways relaxing – the rules governing the handling of the metadata.” In particular, Judge Bates approved the government’s requests to abandon the limits, in previous FISC orders, on the number of NSA agents approved to query Internet metadata and access query results and to expand the period for retention of Internet metadata from 4 ½ to 5 years.

By contrast, the judge rejected the government’s request to “expand considerably” the definition of metadata so as to “encompass all the types of information that were actually collected (to include unauthorized collection) under color of the prior orders.” The limits that Judge Bates placed on the definition of Internet metadata cannot be ascertained, however, due to the heavy redactions in the version of his opinion that the DNI released. Nonetheless, it is clear that in addition to limiting the definition of metadata, the judge rejected the government’s request to be allowed to query all data collected under the authority of previous FISC orders, including data that should not have been collected because it was outside the scope of the orders’ definition of metadata. Rebuking the government, Judge Bates reasoned that since it knew or had reason to know that some of the overcollected data was obtained through unauthorized electronic surveillance, any use or disclosure of such data would constitute a crime under 50 U.S.C. 1809(a)(2).

In addition, the judge rejected the government’s proposal to limit training in procedures for storage, access and dissemination of Internet metadata to those NSA personnel who performed queries. Here, he expressed concern with the NSA’s “poor” record of ensuring that query results not be disseminated outside the NSA unless a designated official determined that any information about a United States national was related to counterterrorism information and necessary to understand or assess its importance. Accordingly, he ordered the government to ensure that any NSA personnel who received query results “in any form first receive appropriate and adequate training and guidance regarding the procedures and restrictions for the handling and dissemination of such information.”

Leave a Reply