It issues a certificate, good for one year, that allows the NSA to order a U.S. Internet or phone company to turn over over e-mails, phone calls and other communications related to a series of foreign targets, none of which the court approved individually.
“What’s most striking about the targeting procedures is the discretion they confer on the NSA,” said Elizabeth Goitein, co-director of the Brennan Center for Justice’s Liberty and National Security program.
In figuring out whether a target is “reasonably believed” to be located overseas, for example, the agency looks at the “totality of the circumstances” relating to a person’s location. In the absence of that specific information, “a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person,” according to rules on the targeting of suspects.
Nonetheless, the documents contain a series of steps the NSA may take to determine a foreigner’s location. Agency analysts examine leads that may come from other agencies, including from human sources. They conduct research in NSA databases, scrutinize Internet protocol addresses and target “Internet links that terminate in a foreign country.”
“When NSA proposes to direct surveillance at a target, it does so because NSA has already learned something about the target,” according to the targeting rules. Often, that lead comes from the CIA or a law enforcement agency.
The NSA uses whatever details are contained in that lead to make an initial assessment of whether it is being asked to eavesdrop on an overseas target. But the agency then takes other steps depending on the circumstances, such as scanning databases “to which NSA has access but did not originate” for clues about location.
To prevent U.S. citizens and legal residents from being targeted, NSA keeps a database of phone numbers and e-mail addresses associated with people thought to be living in the country. New requests are compared to records on the list. Matches are signals to put the surveillance on hold.
The NSA then goes through a sequence of potential additional checks, according to the document. It may look at area codes and the ordinary data packets that accompany e-mails as they cross the Internet. And it may check contact lists associated with e-mail accounts, as well as massive “knowledge databases” that contain CIA intelligence reports.
After it begins intercepting calls or e-mails, the NSA is supposed to continue to look for signs that the person it is monitoring has entered the United States, which would prompt a halt in surveillance and possibly a notification to the FBI.
The document on “minimization” spells out rules for protecting privacy, some of which have been described publicly. The rules protect not just citizens, but foreigners in the United States.
If domestic communications lack significant foreign intelligence information, they must be promptly destroyed. Communications concerning Americans may not be kept more than five years.
If a target who was outside the United States enters the country, the monitoring must stop immediately.