Exclusive: NSA Loophole Keeps Congress Clueless on Foreign Intel Violations

The leaked audit showing the NSA broke privacy rules nearly 3,000 times in one year is just the tip of the iceberg. The NSA is not telling Congress much more. By Marc Ambinder

The National Security Agency, exploiting an executive order loophole, does not give Congress detailed information about unlawful signals intelligence collection on United States citizens when those violations come from programs that focus exclusively on foreign intelligence collection outside the U.S., an intelligence official told Defense One on Friday.

In an internal audit report leaked to The Washington Post by former NSA contractor Edward Snowden, these intelligence collection violations are referred to as Executive Order 12333 transgressions, after the 1981 order sanctioning all NSA activities worldwide. On its website, NSA says it uses “E.O. 12333 authority to collect foreign intelligence from communications systems around the world.”

Some NSA intelligence collection of U.S.-based targets or citizens requires a prior court order, per the 1978 Foreign Intelligence Surveillance Act. Congress is kept informed of those notices. But intelligence being collected on foreign subjects does not require the same notice. When a foreign operation crosses in to U.S. realms, no FISA order is required. NSA has not been providing details on those non-FISA operations, according to the intelligence official.

“Twelve-Triple-3,” as it is known to NSA analysts, is the agency’s bible and specifies the types of foreign intelligence that it can legally collect without court oversight. It also requires that inadvertent collection of unlawful intelligence — primarily raw data collected on U.S. citizens — be “minimized” or anonymized, and then destroyed. 

The 1978 FISA act forced the NSA to obtain a court order before they could collect foreign intelligence from U.S.-based targets, U.S. citizens, corporations or residents. Section 702 of the 2008 FISA Amendments Act allows NSA to use U.S. communication infrastructure to target foreigners “reasonably believed” to be outside the United States. Sections 704 and 705(b) permit the NSA to target U.S. persons who are acting as agents of a foreign power or terrorist group, but the NSA must get a FISA order before they can begin interception. Finally, under the business records provision of the PATRIOT Act, the NSA can obtain, with court certification, telephone records from all American service providers.

Since the focus of oversight efforts has been on FISA compliance, NSA gives Congress detailed narratives of violations of the FISA-authorized data sets, like when metadata about American phone records was stored too long, when a wrong set of records was searched by an analyst or when names or “selectors” not previously cleared by FISA were used to acquire information from the databases. In these cases, the NSA’s compliance staff sends incident reports to the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence for each “significant” FISA violation, and those reports include “significant details,” the official said.

But privacy violations of this sort comprise just one third of those analyzed by the inspector general. Of the 2,776 violations reported by the NSA from May 2011 to May 2012, more than two-thirds were counted as E.O. 12333 incidents. And the agency doesn’t provide Congress detailed reports on E.O. 12333 violations.

In some ways, it’s a distinction without a difference: it does not matter to U.S. citizens whether their phone call was accidentally intercepted by an analyst focusing on U.S.-based activities or those involving a foreign country. But the difference is relevant as it keeps Congress uninformed and unable to perform its oversight duties because the NSA doesn’t provide the intelligence committees with a detailed narrative about the latter type of transgressions.

For example, if someone’s e-mails were inadvertently obtained by the NSA’s International Transit Switch Collection programs, it would count as 12333 error and not a FISA error, even though the data was taken from U.S. communication gateways, and NSA would not notify Congress. The document specifies four such programs: ORANGEBLOSSOM, FAIRVIEW, STORMVIEW and SILVERZEPHYR.

[Related: What the NSA’s Massive Org Chart (Probably) Looks Like]

The Post’s documents suggest that people classified as “roamers” are the unwitting victims of the plurality of both E.O. 12333 and FISA violations.

According to an intelligence official, one type of “roamer” is a legitimate foreign intelligence target who suddenly travels to the United States, thus temporarily placing his or her communications on the U.S. telecom infrastructure grid. Roamers, generally, include recognized agents of foreign powers, like identified foreign government officials or suspected spies operating under diplomatic cover. 

NSA is not permitted to use the U.S. telephone system to continue to collect intelligence on these targets without re-tasking the target through FISA channels. 

Sen. Dianne Feinstein, D-Calif., said in a statement on Friday that she believed most of the NSA compliance issues were of this unintentional kind, but asked for increased notification of any violations from the NSA. “As I have said previously, the committee has never identified an instance in which the NSA has intentionally abused its authority to conduct surveillance for inappropriate purposes.

“I believe, however, that the committee can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate. This should include more routine trips to NSA by committee staff and committee hearings at which all compliance issues can be fully discussed.”

House Intelligence Committee Chairman Mike Rogers, R-Mich., however, defended the NSA and the oversight performance of his committee, as well as the courts, proclaiming in a statement on Friday not to tolerate any “intentional” NSA reporting violations. “Even the inadvertent and unintentional errors are documented.  We demand these reviews so the NSA can constantly improve and correct any technical missteps that may impact Americans.  The Committee has been apprised of previous incidents,” he said. “Human and technical errors, like all of the errors reported in this story, are unfortunately inevitable in any organization and especially in a highly technical and complicated system like NSA. The Committee will continue to work with the executive branch to reduce these errors.”

Interestingly, given FISA’s focus on counterterrorism, only 8 percent of the total errors originated from analysts working that beat. Miscues from the Korea and International Security analytical divisions accounted for a majority of errors that could be blamed on the analysts themselves.

John DeLong, NSA’s compliance director, told reporters that NSA’s integral auditing “caught a majority” of the mistakes, and that he was aware of only “a couple” of deliberate attempts to invade an American citizen’s privacy over the last decade. 

Many of the violations involved legitimate foreign targets, not U.S. citizens, who travel to the U.S., often without NSA’s knowledge, he said. To continue collecting on them once they enter the US, the agency must obtain a FISA order. DeLong said the agency takes every mistake seriously whether intentional or not. 

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation


When you download a report, your information may be shared with the underwriters of that document.