Oversight board says NSA data mining puts citizens’ privacy at risk but sees no abuse

Walter Pincus
Reporter July 14

The National Security Agency does not have the time or personnel to eliminate innocent U.S. citizens’ communications collected under Section 702 of the Foreign Intelligence Surveillance Act.

The programs gather foreign intelligence by soaking up electronic communications to, from or about targeted non-U.S. citizens abroad.

Walter Pincus reports on intelligence, defense and foreign policy for The Washingon Post. He first came to the paper in 1966 and has covered numerous subjects, including nuclear weapons and arms control, politics and congressional investigations. He was among Post reporters awarded the 2002 Pulitzer Prize for national reporting. View Archive

The NSA’s procedures require the destruction of irrelevant communications made by or concerning U.S. citizens, but that “rarely happens,” notes a July 2 report from the five-member Privacy and Civil Liberties Oversight Board (PCLOB).

That’s because “NSA analysts do not review all or even most communications acquired under Section 702,” the PCLOB found.

As a result, “apart from communications acquired inadvertently, U.S. persons’ communications are not typically purged or eliminated from the government’s Section 702 databases before the end of their default retention periods even when the communications pertain to matters unrelated to foreign intelligence or crime,” the board said.

It reported that the NSA, the CIA and the FBI have different rules under which archive searches can be conducted.

At the NSA, queries of Section 702 databases based on a U.S. citizen’s name, key words or phrases, or e-mail addresses can be undertaken if they are “reasonably likely to return foreign intelligence information,” even if there is no suspicion of wrongdoing.

Prior approval is required, and a record is kept of that approval. The NSA last year approved 198 terms involving identifiers of U.S. citizens for content queries of communications acquired under Section 702.

The CIA has the same standards for content queries and conducted 1,900 of them in the unreviewed Section 702 database in 2013, though 40 percent were for other U.S. intelligence agencies.

The FBI queries are not just for foreign intelligence but also for evidence of crimes. The FBI reviews its 702-acquired data whenever it opens a new national security investigation or an assessment that may be unrelated to national security.

As a result of these differing approaches, the board said “applicable rules may allow a substantial amount of private information about U.S. persons to be acquired by the government, examined by its personnel, and used in ways that may have a negative impact on those persons.”

Although there are no reliable figures on how many communications of U.S. citizens have been acquired, the board said, “the government may be gathering and utilizing a significant amount of information about U.S. persons under Section 702.”

The board emphasized that it found no illegitimate activity or abuse during its review, nor efforts to circumvent the legal limits or rules governing the use of the data.

Still, is your privacy violated when the government collects and stores your information? Is it violated when your archived data are queried and read, or does a violation arise only when that information is made public or used against you?

The board says: “The collection and examination of U.S. persons’ communications represent a privacy intrusion even in the absence of misuse for improper ends.”

As a result, the board wants more clarification about the gathering and handling of U.S. citizens’ communications.

Much of what the board found relates to a July 5 Washington Post article that described some 160,000 intercepted e-mail and instant-message conversations supplied by former NSA contractor Edward Snowden.

Why does the Obama administration and the intelligence community consider the 702 programs so important, despite their potential threat to privacy?

As the board reports, administration and legislative officials said, “With respect to terrorism, communications involving someone in the United States are some of the ‘most important’ communications acquired under the program.”

In the past year, beyond the 54 cases first described after the Snowden disclosures, about 20 cases were shared with the board that showed Section 702 collections offered support for existing counterterrorism probes. An additional 30 cases aided in the identification of previously unknown terrorist operatives or plots, and 15 cases involved some ties to the United States — such as the site of a planned attack or the location of operatives.

What makes the programs so useful?

The Foreign Intelligence Surveillance Act (FISA), which governs court-approved surveillance of U.S. citizens or individuals within this country, requires evidence of probable cause that the target is an agent of a foreign power or that a telephone number or communication vehicle is used by a foreign power or agent.

Under Section 702, the court requires approval only of the type of foreign intelligence sought and procedures to be used for targeting and handling the information gathered. Targets can even include foreigners “who might have knowledge about a suspected terrorist,” according to the board report.

The board believes that a FISA court finding is required before any query of a U.S. citizen can be made in the data collected under Section 702, but the standard should be that it is “reasonably likely to return foreign intelligence information.”

That should protect both security needs and individuals’ civil liberties, depending on how any information turned up is eventually used.

For previous Fine Print columns, go to washingtonpost.com/fedpage.

Comments
Show Comments

Get the WorldViews newsletter

Sign up for daily updates from WorldViews.

Most Read World