The NSA immediately began cultivating an array of “private sector partners,” including telephone companies, Internet service providers and Web services, according to a top-secret report by the NSA inspector general’s office obtained by The Washington Post.
“Private sector partners began to send telephony and Internet content to NSA in October 2001. They began to send telephony and Internet metadata to NSA as early as November 2001,” the IG report said.
The 57-page document, a working draft dated March 24, 2009, offers a short history of one of the most sweeping domestic surveillance efforts in American history. It was first posted by the Guardian newspaper in England.
The document contains new information about how the decade-long program came to be, including details about legal matters, funding and the fact that 60 lawmakers were briefed about it. The report also contains much that has already been disclosed by The Post and the Guardian, based on documents leaked by former NSA contractor Edward Snowden.
It depicts a program fashioned virtually from scratch in a time of crisis, by a handful of individuals, including Gen. Michael Hayden, the head of the NSA and Vice President Dick Cheney. Given the code name “Stellar Wind,” the PSP was a set of four surveillance programs that brought Americans and U.S. territory within the domain of the NSA for the first time in decades. The PSP, which initially operated outside the restrictions of the Foreign Intelligence Surveillance Act, was eventually put under full FISA court control by 2007.
The report also offers new fodder for critics of domestic spying about the proper limits on domestic intelligence. In recent interviews with The Post, some former senior NSA officials said they had misgivings at the time.
“It was not something that I felt we needed to do or should do,” said one former NSA official who spoke on the condition of anonymity in order to discuss top-secret matters. “I thought there was a way to do it, which was to put this under FBI control, using FBI authorities, and just let the FBI use our [NSA] tools. I was just thinking, what kind of precedent does this set?”
The NSA inspector general’s office issued the classified report under a mandate from the FISA Amendments Act of 2008. The report also shows that NSA officials believed that there were no constitutional limits on the collection of digital metadata, including such details as the origin, destination and timing of calls and e-mails.
More significantly, the inspector general’s report underscores the NSA’s fundamental reliance on private-sector companies.
“According to General [Keith B.] Alexander, General Hayden’s replacement as Director of NSA/CSS, if the relationships with these companies were ever terminated, the U.S. SIGINT system would be irrevocably damaged, because NSA would have sacrificed America’s home field advantage as the primary hub for worldwide telecommunications,” the report said.
Hayden, now a security consultant, was out of the country and unavailable for comment.
The four programs under the PSP involved the collection of Internet and telephone metadata and content. The Internet metadata program “was terminated in 2011 because it didn’t have the operational impact that we needed,” Alexander said Thursday while speaking at a cyber conference in Baltimore. Alexander said that the administration and Congress supported the shutdown and the “data was purged.”
Greg Nojeim, senior counsel and civil liberties specialist at the Center for Democracy and Technology (CDT), said such a program was not supposed to happen under FISA.
“The document shows that the president authorized, and the NSA conducted, the very electronic surveillance that Congress enacted FISA to preclude,” Nojeim said. “No court orders. No finding of probable cause. In fact, the FISA court doesn’t even get briefed about it until four months later. Due process under this program at inception was just a handshake between the head of the NSA and the vice president’s counsel.”
The program was born at a time when the nation was experiencing its most acute security crisis since the Pearl Harbor attacks 60 years earlier. In the hours after Sept. 11, 2001, the NSA scrambled to determine how to use its surveillance tools within a legal framework that tightly proscribed domestic intelligence collection.
“General Hayden was operating in a unique environment in which it was a widely held belief that additional attacks on U.S. soil were imminent,” the report said.
NSA officials found “collection gaps” that left the country vulnerable. “NSA believed that the FISA process was unable to accommodate the number of terrorist targets or the speed with which they changed their communication,” the report said, adding that the average wait for FISA approval was four to six weeks.
Three days after the attacks, Hayden approved the targeting of terrorist-associated foreign telephone numbers on communication links between the United States and foreign countries, the report said.
On Oct. 2, Hayden briefed members of the House Permanent Select Committee on Intelligence and Senate Select Committee on Intelligence about his decision to allow expanded data collection.
The president issued a memo on Oct. 4 that authorized “specified electronic surveillance” for a “limited period” to detect and thwart terrorism inside the United States. The order delegated authority to the secretary of defense, who passed on the authority to Hayden.
Under the initial authorization, as long as the NSA had probable cause to think one of the people communicating was in Afghanistan or was engaged in planning an act of international terrorism, the agency could collect communications data outside the FISA process. “The majority of known terrorist email addresses that NSA has tracked are hosted on U.S.-based providers,” the report said.
Days later, the PSP’s metadata analysis center was a round-the-clock operation with 20 analysts and software developers. Many of them were “former Russian traffic analysts,” the report said. Within a week, 90 NSA employees were clear to view the PSP material.
The “PSP content collection” ultimately targeted 3,018 people in the United States from Oct. 4, 2001, to Jan. 17, 2007, the report said. Targeting of foreign nationals was broadened beyond Afghanistan shortly after the initial authorization. Of the targets, 34,646, or 92 percent, were foreign.
The report notes: “NSA leadership considered selectors for targets located in the United States to be extremely sensitive. As such, processes were set up to ensure strict compliance with the terms of the Authorization.”
But the sweep of the PSP went beyond content and included the collection of vast amounts of metadata. Among the legal assumptions was that “metadata was not constitutionally protected” and not as sensitive as content.
“Nevertheless, processes were set up to document requests for metadata analysis and justifications for conducting such analysis under Program authority,” the report said.
The report does not specify how much metadata was collected, but it pointed out that 37 billion minutes in telephone conversations originated or ended in the United States in 2003 alone.
“NSA determined that under the Authorization it could gain access to approximately 81% of the international calls into and out of the United States through three corporate partners,” the report said.
Barton Gellman, Carol Leonnig, Kimbriell Kelly and Sari Horwitz contributed to this report.