Exclusive: NSA Loophole Keeps Congress Clueless on Foreign Intel Violations

The leaked audit showing the NSA broke privacy rules nearly 3,000 times in one year is just the tip of the iceberg. The NSA is not telling Congress much more. By Marc Ambinder

The National Security Agency, exploiting an executive order loophole, does not give Congress detailed information about unlawful signals intelligence collection on United States citizens when those violations come from programs that focus exclusively on foreign intelligence collection outside the U.S., an intelligence official told Defense One on Friday.

In an internal audit report leaked to The Washington Post by former NSA contractor Edward Snowden, these intelligence collection violations are referred to as Executive Order 12333 transgressions, after the 1981 order sanctioning all NSA activities worldwide. On its website, NSA says it uses “E.O. 12333 authority to collect foreign intelligence from communications systems around the world.”

Some NSA intelligence collection of U.S.-based targets or citizens requires a prior court order, per the 1978 Foreign Intelligence Surveillance Act. Congress is kept informed of those notices. But intelligence being collected on foreign subjects does not require the same notice. When a foreign operation crosses in to U.S. realms, no FISA order is required. NSA has not been providing details on those non-FISA operations, according to the intelligence official.

“Twelve-Triple-3,” as it is known to NSA analysts, is the agency’s bible and specifies the types of foreign intelligence that it can legally collect without court oversight. It also requires that inadvertent collection of unlawful intelligence — primarily raw data collected on U.S. citizens — be “minimized” or anonymized, and then destroyed. 

The 1978 FISA act forced the NSA to obtain a court order before they could collect foreign intelligence from U.S.-based targets, U.S. citizens, corporations or residents. Section 702 of the 2008 FISA Amendments Act allows NSA to use U.S. communication infrastructure to target foreigners “reasonably believed” to be outside the United States. Sections 704 and 705(b) permit the NSA to target U.S. persons who are acting as agents of a foreign power or terrorist group, but the NSA must get a FISA order before they can begin interception. Finally, under the business records provision of the PATRIOT Act, the NSA can obtain, with court certification, telephone records from all American service providers.

Since the focus of oversight efforts has been on FISA compliance, NSA gives Congress detailed narratives of violations of the FISA-authorized data sets, like when metadata about American phone records was stored too long, when a wrong set of records was searched by an analyst or when names or “selectors” not previously cleared by FISA were used to acquire information from the databases. In these cases, the NSA’s compliance staff sends incident reports to the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence for each “significant” FISA violation, and those reports include “significant details,” the official said.

But privacy violations of this sort comprise just one third of those analyzed by the inspector general. Of the 2,776 violations reported by the NSA from May 2011 to May 2012, more than two-thirds were counted as E.O. 12333 incidents. And the agency doesn’t provide Congress detailed reports on E.O. 12333 violations.

In some ways, it’s a distinction without a difference: it does not matter to U.S. citizens whether their phone call was accidentally intercepted by an analyst focusing on U.S.-based activities or those involving a foreign country. But the difference is relevant as it keeps Congress uninformed and unable to perform its oversight duties because the NSA doesn’t provide the intelligence committees with a detailed narrative about the latter type of transgressions.

For example, if someone’s e-mails were inadvertently obtained by the NSA’s International Transit Switch Collection programs, it would count as 12333 error and not a FISA error, even though the data was taken from U.S. communication gateways, and NSA would not notify Congress. The document specifies four such programs: ORANGEBLOSSOM, FAIRVIEW, STORMVIEW and SILVERZEPHYR.

[Related: What the NSA’s Massive Org Chart (Probably) Looks Like]

The Post’s documents suggest that people classified as “roamers” are the unwitting victims of the plurality of both E.O. 12333 and FISA violations.

According to an intelligence official, one type of “roamer” is a legitimate foreign intelligence target who suddenly travels to the United States, thus temporarily placing his or her communications on the U.S. telecom infrastructure grid. Roamers, generally, include recognized agents of foreign powers, like identified foreign government officials or suspected spies operating under diplomatic cover. 

NSA is not permitted to use the U.S. telephone system to continue to collect intelligence on these targets without re-tasking the target through FISA channels. 

Sen. Dianne Feinstein, D-Calif., said in a statement on Friday that she believed most of the NSA compliance issues were of this unintentional kind, but asked for increased notification of any violations from the NSA. “As I have said previously, the committee has never identified an instance in which the NSA has intentionally abused its authority to conduct surveillance for inappropriate purposes.

“I believe, however, that the committee can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate. This should include more routine trips to NSA by committee staff and committee hearings at which all compliance issues can be fully discussed.”

House Intelligence Committee Chairman Mike Rogers, R-Mich., however, defended the NSA and the oversight performance of his committee, as well as the courts, proclaiming in a statement on Friday not to tolerate any “intentional” NSA reporting violations. “Even the inadvertent and unintentional errors are documented.  We demand these reviews so the NSA can constantly improve and correct any technical missteps that may impact Americans.  The Committee has been apprised of previous incidents,” he said. “Human and technical errors, like all of the errors reported in this story, are unfortunately inevitable in any organization and especially in a highly technical and complicated system like NSA. The Committee will continue to work with the executive branch to reduce these errors.”

Interestingly, given FISA’s focus on counterterrorism, only 8 percent of the total errors originated from analysts working that beat. Miscues from the Korea and International Security analytical divisions accounted for a majority of errors that could be blamed on the analysts themselves.

John DeLong, NSA’s compliance director, told reporters that NSA’s integral auditing “caught a majority” of the mistakes, and that he was aware of only “a couple” of deliberate attempts to invade an American citizen’s privacy over the last decade. 

Many of the violations involved legitimate foreign targets, not U.S. citizens, who travel to the U.S., often without NSA’s knowledge, he said. To continue collecting on them once they enter the US, the agency must obtain a FISA order. DeLong said the agency takes every mistake seriously whether intentional or not. 

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • GBC Issue Brief: Supply Chain Insecurity

    Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.


When you download a report, your information may be shared with the underwriters of that document.