NSA brazenly broke privacy rules for years

Judge's blistering ruling says lack of tech knowledge at root of issue

The Washington Post, AP

The U.S. National Security Agency for almost three years searched a massive database of Americans’ phone call records in an attempt to identify potential terrorists, in violation of court-approved privacy rules, and the problem went unfixed because no one at the agency had a full technical understanding of how its system worked, according to new documents and senior government officials.

Moreover, it was U.S. Justice Department officials who discovered the problem and reported it to the court that oversees surveillance programs, the documents show, undermining assertions by the NSA that self-reporting is part of its culture.

The improper activity went on from May 2006 to January 2009, according to a March 2009 opinion by Judge Reggie Walton, who serves on the Foreign Intelligence Surveillance Court (FISC).

It was one of more than a dozen documents declassified and released Tuesday in response to lawsuits by civil liberties groups and at the direction of President Barack Obama, in the wake of the June disclosure by former NSA contractor Edward Snowden of the massive collection of phone records.

“The documents released today are a testament to the government’s strong commitment to detecting, correcting and reporting mistakes that occur in implementing technologically complex intelligence collection activities, and to continually improving its oversight and compliance processes,” said James Clapper, director of national intelligence.

The rebuke of the NSA comes less than a month after the Office of the Director of National Intelligence released a highly critical FISC opinion that took the agency to task for its operation of a separate surveillance program.

Taken together, the documents released by the office over the past month paint a picture of an agency that has sought and won sweeping surveillance powers to run complex domestic data collection without anyone having full technical understanding of the efforts, and that has repeatedly misrepresented the programs’ scope to its court overseer.

Such revelations call into question the effectiveness of an oversight program that depends on accurate disclosure by the NSA to a court that acts in secret and says it lacks the resources to verify independently the agency’s assertions. “It has finally come to light that the FISC’s authorizations of this vast collection program have been premised on a flawed depiction of how the NSA uses” the phone data, Walton wrote.

“This misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions,” he continued. Privacy procedures “have been so frequently and systemically violated that it can fairly be said that this critical element of the overall (phone records) regime has never fully functioned effectively.”

The “bulk records” program began without any court or congressional approval shortly after the Sept. 11, 2001, attacks but was put under court supervision in May 2006, after American phone companies balked at providing the data solely at the request of the executive branch.

Under the program, the NSA receives daily transfers of all customer records from the nation’s phone companies. Those records include numbers dialed and the time and duration of calls, but no customer names or content of conversations.

Beginning on Jan. 9, 2009, Justice Department officials began notifying the court of problems, in particular that the NSA had been running an automated “alert list” on selected phone numbers without meeting the court-required standard of “reasonable and articulable suspicion” that those numbers were tied to terrorists.

Justice Department officials notified the court that the NSA had been searching the phone companies’ records “in a manner directly contrary” to the court’s orders “and directly contrary to the sworn attestations of several Executive Branch officials,” Walton wrote in a Jan. 29, 2009, order.

NSA Director Keith Alexander suggested to the court that the violations stemmed from a belief by his personnel that not all the databases were covered by the same privacy rules, Walton wrote in his March opinion. “That interpretation of the court’s orders strains credulity,” Walton said.

The judge also suggested that the NSA’s Office of General Counsel deliberately chose to approve the use of phone numbers that did not meet the court standards because such procedures were in keeping with other NSA collection activities. In March 2009, the court took the unusual step of ordering the government to seek approval to query the database on a case-by-case basis “except where necessary to protect against an imminent threat to human life.”

After discovering government officials had been accessing domestic phone records without a sufficient connection to terrorism for nearly three years, the judge said in a blistering opinion that he had “lost confidence” in officials’ ability to legally operate the program.

Walton noted, for instance, that just 1,935 phone numbers out of 17,835 on a list investigators were working with in early 2009 met the legal standard.

The judge ordered the NSA to conduct an “end-to-end” review of its processes and policies while also ordering closer monitoring of its activities.