The Latest NSA Documents III: The Government Responds

On February 12, 2009, the government submitted a 28-page brief and 93 pages of supporting documentation to the FISC in response to the court’s January 28, 2009 order. The brief opens with two clear concessions: "The Government acknowledges that NSA's descriptions to the Court of the alert list process . . . were inaccurate and that the Business Records Order did not provide the Government with authority to employ the alert list in the manner in which it did."

More important than the brief itself is the accompanying 42-page declaration by NSA Director Keith Alexander, on which the brief is largely based. The Alexander Declaration offers a clearer account of the human errors that led NSA to violate FISC orders and to misrepresent the alert list process to the court. The Alexander Declaration is also the more significant document in that it answers each of the questions that the court expressly ordered the government to address.

Together, the brief, the Alexander Declaration, and the internal documents submitted as attachments explain how NSA inadvertently violated the court orders, how it inadvertently misrepresented its use of telephony metadata to the FISC, and how the government caught and notified the court of its errors. They also provide an overview of the government’s steps to review and remedy the compliance incident and its plans for establishing a more robust oversight regime. The brief presents these changes as an argument for why, despite NSA’s errors, the court should not modify or rescind the production orders for telephony metadata memorialized in its December 12, 2008 supplemental opinion, or take further remedial or disciplinary action.

In short, the FISC had authorized NSA to use only RAS-approved telephone identifiers to access its vast store of archived data. But the alert list process that NSA implemented to help prioritize its metadata review violated this restriction by allowing analysts to compare non-RAS approved telephone identifiers against the incoming telephony metadata. The NSA personnel who designed the business records (BR) FISA alert list process incorrectly believed that the telephone identifiers on the alert list were not required to satisfy the RAS standard; they believed instead that the standard was triggered only when an analyst sought access to NSA's database of BR data. The brief explains, “NSA personnel . . . appear to have viewed the alert system as merely pointing to a particular identifier on the alert list that required determination of whether the RAS standard had been satisfied before permitting contact chaining and/or pattern analysis in the archived BR FISA data."

On May 25, 2006, NSA's Signals Intelligence Directorate (SID) asked for the concurrence of NSA’s Office of General Counsel (OGC) on draft procedures for implementing the court's May 24, 2006 order. Neither SID nor OGC identified the inclusion of non-RAS approved identifiers on the alert list as a potential problem. The procedures described the general process by which identifiers on the alert list would be compared against incoming BR metadata, and close examination of the description should have revealed that the alert list contained both RAS-approved and non-RAS-approved telephone identifiers (though the description did not state this expressly). It appears the focus was instead placed on ensuring that the RAS standard was satisfied before analysts accessed the archived data to conduct contact chaining; OGC added express language to that effect in concurring with use of the draft procedures.

The brief and the Alexander Declaration explain how the alert list system was designed, which is key to understanding NSA’s compliance failures and subsequent misrepresentations to the court. On May 26, 2006, based on the procedures approved by the OGC, the chief of NSA-Washington's counterterrorism organization in SID directed the alert list rebuilt to include only identifiers assigned to particular "bins" or "zip codes.” Personnel in NSA's counterterrorism organization therefore built two lists to manage the alert process. The first list, called the "alert list," included all foreign and domestic identifiers of interest to counterterrorism analysts charged with a particular tracking assignment, and in fact consisted of RAS-approved identifiers as well as non-RAS approved identifiers. This first list was used to alert NSA’s counterterrorism organization if there was a match between an identifier on the list and incoming telephony metadata obtained by NSA from the Business Records Order and NSA's other sources of signal intelligence collection. The second list, called the "station table," was a historical listing of all telephone identifiers that had undergone an RAS determination. The station table was used to ensure only RAS-approved "seed" identifiers were used to conduct contact chaining in the BR metadata archive. Thus, the rebuilt alert list system was designed to compare both BR metadata and signals intelligence against identifiers on the alert list, but to allow only those alerts generated from RAS approved telephone identifiers to be used to conduct contact chaining of BR metadata.

Contact chaining is a process that enables NSA to discover previously-unknown telephone identifiers used by a known terrorist operative, to discover previously-unknown terrorist operatives, to identify common contacts between targets of interest previously believed to be unconnected, and potentially to discover individuals willing to become government assets. It appears that personnel focused their efforts on conducting contact chaining in compliance with court-ordered RAS standards, but they paid comparatively little attention to ensuring that identifiers on the alert list also complied with RAS standards.

The result was that most telephony identifiers compared against the incoming BR metadata were not RAS approved. As of January 15, 2009, in fact, when the court was first notified of the issue, only 1,935 of the 17,835 identifiers on the list were RAS approved, the government disclosed.

The filing also addresses how NSA ended up submitting to the court various reports inaccurately stating that the telephone identifiers on the alert list satisfied the RAS standard, when in fact most of the identifiers on the list did not.

On August 12, 2006, the NSA OGC attorney responsible for drafting the initial report circulated the draft to other OGC attorneys and personnel before it was submitted to the court, and expressly asked the recipients to review the draft’s accuracy (the internal email is attached as Exhibit D). Nobody flagged the inaccurate alert list description, which stated that the telephone identifiers on the alert list satisfied the RAS standard. The inaccurate description was therefore included in the August 18, 2006 report and in all subsequent reports submitted to the court.

The brief concedes that "there was no single person who had a complete technical understanding of the BR FISA system architecture," which "probably also contributed" to the inaccurate alert list description contained in NSA's reports to the court.

Noting that the FISC has historically demonstrated a "strong preference" for resolving compliance incidents through additional procedures and safeguards, "rather than by imposing the extraordinary and final remedy of rescission,” the government’s brief urges the court not to rescind or modify the authorization orders outlined in its December 12, 2008 supplemental opinion. To demonstrate that such changes are unnecessary, the government details the remedial steps it has already taken and the additional oversight mechanisms it will implement in response to the compliance incident.

The brief assures the court that since notifying the court of the alert list problem, NSA has 1) taken steps to sequester and shut off access to any alerts generated from comparing incoming BR metadata against non-RAS-approved identifiers, 2) begun reengineering the alert process to ensure only RAS-approved telephone identifiers are compared against incoming BR metadata, and most importantly, 3) shut off the alert list process on January 24, 2009 for resumption only when the process conforms with the court's orders.

Based on information in the Alexander Declaration, the brief suggests limited harms stemming from improper use of non-RAS approved identifiers, based on a review of all 275 reports disseminated by NSA since May 2006 as a result of contact chaining [redacted] of BR metadata. And unlike reports generated from BR metadata, which were disseminated outside NSA, the alerts generated from a comparison of BR metadata against the alert list were only disseminated to SIGINT personnel responsible for counterterrorism activity. NSA eliminated analyst access to any alerts generated from the comparison of non-RAS approved identifiers against incoming BR metadata.

The brief describes several measures implemented by NSA after the compliance incident to review and audit its handling of BR metadata, including end-to-end system engineering. NSA's SIGINT Oversight & Compliance Office also launched an effort to redesign training for operational personnel with access to BR metadata, who will now be subject to competency training and in-person briefings.

The brief states that NSA is making two changes to the tools that its analysts use to conduct contact chaining of the BR metadata, to prevent the system from accepting any non-RAS approved identifier as the seed identifier for contact chaining, and to ensure that the software limits analysts to three "hops" from a RAS-approved seed identifier. The brief then offers a bulleted list of six oversight mechanisms that the government will implement in addition to those ordered by the court. Most involve promoting greater consultation and coordination between NSA's OGC and the NSD.

The last section of the brief is dedicated to establishing the value of the BR metadata to the government's mission. Citing the initiation of its own internal investigative measures, the government also seeks to dissuade the court from taking action against individual persons responsible for misrepresentations to the court for violations of its orders.

Finally, the Alexander Declaration offers answers to the court’s seven questions:

1. Prior to January 15, 2009, who within the executive branch knew that the alert list being used to query the Business Record database included telephone identifiers that did not meet the RAS standard, and when?

The Declaration lists the names and titles of eleven NSA personnel who knew or may have known that the alert list contained both RAS and non-RAS approved identifiers and were run against the incoming BR FISA data, as well as those of three individuals included on the OGC's May 25, 2006 email concurrence.

2. How long has the unauthorized querying been conducted?

The Declaration states that unauthorized querying took place for about two and a half years, commencing with the court’s May 24, 2006 order and ending with the shutdown of the BR FISA alerts on January 24, 2009.

3. Fully describe how the unauthorized querying came to light.

The Declaration states that the unauthorized querying came to light during an NSA-DOJ briefing and follow-up discussion on NSA's handling of BR FISA material.

4. Why did none of the entities ordered to conduct oversight over this program identify the problem earlier? Describe how each entity has exercised its oversight responsibilities pursuant to court orders.

The Declaration emphasizes that NSA’s errors in describing the alert list process to the court were not for lack of oversight. BR FISA activity received regular oversight from NSA'S Office of Inspector General (OIG), SIGINT Directorate and NSA's OGC. The Declaration also emphasizes that the errors in processing BR FISA data and representing the alert list process to the court were not deliberate.

5. What standard is applied for tasking telephone identifiers under NSA's SIGINT authority? Does NSA task telephone identifiers associated with U.S. persons? If so, does NSA limit such identifiers to those not selected solely based on First Amendment protected activities?

SIGINT Tasking Standard: Irrespective of whether a telephone identifier is assessed against the RAS standard, NSA personnel may not task an identifier for any collection or analysis pursuant to NSA's general SIGINT authorities unless it "is likely to produce information of foreign intelligence value." NSA's counterterrorism organization conducts reviews of the alert list twice a year to ensure that the zip codes used to identify whether telephony identifiers on the list remain covered by the Business Records Order.

U.S. Person Tasking: NSA has some authority to task telephony identifiers associated with U.S. persons for SIGINT collection under EO 12333, but only according to procedures approved by the Attorney General. Some of NSA's SIGINT activities are also regulated by the FISA.

First Amendment Considerations: The Declaration acknowledges the various authorities that forbid NSA from targeting of any U.S. person solely on the basis of protected First Amendment activities.

6. In what form does the government retain and disseminate information it derives from queries run against hte business records data archive?

Through July 29, 2008, NSA archived the reports it disseminated from its analysis of data in the BR FISA data repository "in a special program-specific limited access data repository" and on a restricted group of servers. Information in the BR FISA data archive is retained for five years. The Declaration states the results of its review of the 275 reports of domestic contacts that NSA disseminated as a result of contact chaining of NSA's BR FISA data archive: no report from the automated alert process resulted from the use of a non-RAS approved identifier as the initial seed identifier for chaining, and any U.S. identifier that served as the initial seed identifier for a report was either already subject to FISC-approved surveillance or had been reviewed by the OGC to ensure the RAS determination was not based entirely on first-amendment-protected activities. (A sample report is attached as Exhibit H, and an example of an alert generated by the alert system prior to January 23, 2009 is attached as Exhibit I.)

7. How would the government identify and purge information derived from queries run against the business records data archive using non-RAS approved telephony identifiers, if so ordered?

The Declaration notes that NSA analysts were not authorized to use non-RAS-approved identifiers to conduct chaining or pattern analysis of NSA's repository of BR FISA material. Where improper querying was identified, NSA purged data and corrected the deficiencies that resulted in the improper querying. NSA eliminated analyst access to any alerts generated from comparison of non-RAS approved identifiers against incoming BR FISA material. The Declaration concedes that it has not yet purged copies of alerts generated from these improper comparisons because of possible complications posed by a data preservation order NSA had received in an ongoing litigation matter.