AP Photo

Exclusive: NSA Loophole Keeps Congress Clueless on Foreign Intel Violations

The leaked audit showing the NSA broke privacy rules nearly 3,000 times in one year is just the tip of the iceberg. The NSA is not telling Congress much more. By Marc Ambinder

The National Security Agency, exploiting an executive order loophole, does not give Congress detailed information about unlawful signals intelligence collection on United States citizens when those violations come from programs that focus exclusively on foreign intelligence collection outside the U.S., an intelligence official told Defense One on Friday.

In an internal audit report leaked to The Washington Post by former NSA contractor Edward Snowden, these intelligence collection violations are referred to as Executive Order 12333 transgressions, after the 1981 order sanctioning all NSA activities worldwide. On its website, NSA says it uses “E.O. 12333 authority to collect foreign intelligence from communications systems around the world.”

Some NSA intelligence collection of U.S.-based targets or citizens requires a prior court order, per the 1978 Foreign Intelligence Surveillance Act. Congress is kept informed of those notices. But intelligence being collected on foreign subjects does not require the same notice. When a foreign operation crosses in to U.S. realms, no FISA order is required. NSA has not been providing details on those non-FISA operations, according to the intelligence official.

“Twelve-Triple-3,” as it is known to NSA analysts, is the agency’s bible and specifies the types of foreign intelligence that it can legally collect without court oversight. It also requires that inadvertent collection of unlawful intelligence -- primarily raw data collected on U.S. citizens -- be “minimized” or anonymized, and then destroyed. 

The 1978 FISA act forced the NSA to obtain a court order before they could collect foreign intelligence from U.S.-based targets, U.S. citizens, corporations or residents. Section 702 of the 2008 FISA Amendments Act allows NSA to use U.S. communication infrastructure to target foreigners “reasonably believed” to be outside the United States. Sections 704 and 705(b) permit the NSA to target U.S. persons who are acting as agents of a foreign power or terrorist group, but the NSA must get a FISA order before they can begin interception. Finally, under the business records provision of the PATRIOT Act, the NSA can obtain, with court certification, telephone records from all American service providers.

Since the focus of oversight efforts has been on FISA compliance, NSA gives Congress detailed narratives of violations of the FISA-authorized data sets, like when metadata about American phone records was stored too long, when a wrong set of records was searched by an analyst or when names or “selectors” not previously cleared by FISA were used to acquire information from the databases. In these cases, the NSA’s compliance staff sends incident reports to the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence for each “significant” FISA violation, and those reports include “significant details,” the official said.

But privacy violations of this sort comprise just one third of those analyzed by the inspector general. Of the 2,776 violations reported by the NSA from May 2011 to May 2012, more than two-thirds were counted as E.O. 12333 incidents. And the agency doesn’t provide Congress detailed reports on E.O. 12333 violations.

In some ways, it’s a distinction without a difference: it does not matter to U.S. citizens whether their phone call was accidentally intercepted by an analyst focusing on U.S.-based activities or those involving a foreign country. But the difference is relevant as it keeps Congress uninformed and unable to perform its oversight duties because the NSA doesn’t provide the intelligence committees with a detailed narrative about the latter type of transgressions.

For example, if someone’s e-mails were inadvertently obtained by the NSA’s International Transit Switch Collection programs, it would count as 12333 error and not a FISA error, even though the data was taken from U.S. communication gateways, and NSA would not notify Congress. The document specifies four such programs: ORANGEBLOSSOM, FAIRVIEW, STORMVIEW and SILVERZEPHYR.

[Related: What the NSA’s Massive Org Chart (Probably) Looks Like]

The Post’s documents suggest that people classified as “roamers” are the unwitting victims of the plurality of both E.O. 12333 and FISA violations.

According to an intelligence official, one type of “roamer” is a legitimate foreign intelligence target who suddenly travels to the United States, thus temporarily placing his or her communications on the U.S. telecom infrastructure grid. Roamers, generally, include recognized agents of foreign powers, like identified foreign government officials or suspected spies operating under diplomatic cover. 

NSA is not permitted to use the U.S. telephone system to continue to collect intelligence on these targets without re-tasking the target through FISA channels. 

Sen. Dianne Feinstein, D-Calif., said in a statement on Friday that she believed most of the NSA compliance issues were of this unintentional kind, but asked for increased notification of any violations from the NSA. “As I have said previously, the committee has never identified an instance in which the NSA has intentionally abused its authority to conduct surveillance for inappropriate purposes.

“I believe, however, that the committee can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate. This should include more routine trips to NSA by committee staff and committee hearings at which all compliance issues can be fully discussed.”

House Intelligence Committee Chairman Mike Rogers, R-Mich., however, defended the NSA and the oversight performance of his committee, as well as the courts, proclaiming in a statement on Friday not to tolerate any “intentional” NSA reporting violations. “Even the inadvertent and unintentional errors are documented.  We demand these reviews so the NSA can constantly improve and correct any technical missteps that may impact Americans.  The Committee has been apprised of previous incidents,” he said. “Human and technical errors, like all of the errors reported in this story, are unfortunately inevitable in any organization and especially in a highly technical and complicated system like NSA. The Committee will continue to work with the executive branch to reduce these errors.”

Interestingly, given FISA’s focus on counterterrorism, only 8 percent of the total errors originated from analysts working that beat. Miscues from the Korea and International Security analytical divisions accounted for a majority of errors that could be blamed on the analysts themselves.

John DeLong, NSA's compliance director, told reporters that NSA's integral auditing "caught a majority" of the mistakes, and that he was aware of only "a couple" of deliberate attempts to invade an American citizen's privacy over the last decade. 

Many of the violations involved legitimate foreign targets, not U.S. citizens, who travel to the U.S., often without NSA's knowledge, he said. To continue collecting on them once they enter the US, the agency must obtain a FISA order. DeLong said the agency takes every mistake seriously whether intentional or not.