NSA Statements on Stopping Certain Foreign Intelligence Collection Activities

Susan Hennessey
Friday, April 28, 2017, 3:52 PM

As Quinta has already flagged, the New York Times has reported that NSA has stopped the practice of “about” collection under Section 702 of FISA. NSA has now released a set of statements.

NSA Stops Certain Foreign Intelligence Collection Activities Under Section 702:

Published by The Lawfare Institute
in Cooperation With
Brookings

As Quinta has already flagged, the New York Times has reported that NSA has stopped the practice of “about” collection under Section 702 of FISA. NSA has now released a set of statements.

NSA Stops Certain Foreign Intelligence Collection Activities Under Section 702:

The National Security Agency is instituting several changes in the way it collects information under Section 702 of the Foreign Intelligence Surveillance Act.

Section 702, set to expire at the end of this year, allows the Intelligence Community to conduct surveillance on only specific foreign targets located outside the United States to collect foreign intelligence, including intelligence needed in the fight against international terrorism and cyber threats.

NSA will no longer collect certain internet communications that merely mention a foreign intelligence target. This information is referred to in the Intelligence Community as "about" communications in Section 702 "upstream" internet surveillance. Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target.

Even though NSA does not have the ability at this time to stop collecting "about" information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target.

Finally, even though the Agency was legally allowed to retain such "about" information previously collected under Section 702, the NSA will delete the vast majority of its upstream internet data to further protect the privacy of U.S. person communications.

The changes in policy followed an in-house review of Section 702 activities in which NSA discovered several inadvertent compliance lapses.

NSA self-reported the incidents to both Congress and the FISC, as it is required to do. Following these reports, the FISC issued two extensions as NSA worked to fix the problems before the government submitted a new application for continued Section 702 certification. The FISC recently approved the changes after an extensive review.

The Agency's efforts are part of its commitment to continuous improvement as we work to keep the nation safe. NSA has a solemn responsibility and duty to do our work exactly right while carrying out our critical mission.

NSA Stops Certain Section 702 "Upstream" Activities:

Since 2008, the National Security Agency (NSA) and other members of the U.S. Intelligence Community have relied on Section 702 of the Foreign Intelligence Surveillance Act (FISA) to conduct surveillance on specific foreign targets located outside the United States to acquire critical intelligence on issues ranging from international terrorism to cybersecurity. After a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation, NSA has decided to stop some of its activities conducted under Section 702.

While the Foreign Intelligence Surveillance Court (FISC) was considering the government's annual application to renew the Section 702 certifications, NSA reported several earlier, inadvertent compliance incidents related to queries involving U.S. person information in 702 "upstream" internet collection. Although the incidents were not willful, NSA was required to, and did, report them to both Congress and the FISC. The court issued two extensions of the government's renewal application in order to receive additional information from the government about this issue and the government's plan to resolve it. The previous year's certifications remained in effect during these extension periods.

During the extension period, NSA undertook a broad review of its Section 702 program. Under Section 702, NSA collects internet communications in two ways: "downstream" (previously referred to as PRISM) and "upstream." Under downstream collection, NSA acquires communications "to or from" a Section 702 selector (such as an email address). Under upstream collection, NSA acquires communications "to, from, or about" a Section 702 selector. An example of an "about" email communication is one that includes the targeted email address in the text or body of the email, even though the email is between two persons who are not themselves targets. The independent Privacy and Civil Liberties Oversight Board described these collection methods in an exhaustive report published in 2014.

After considerable evaluation of the program and available technology, NSA has decided that its Section 702 foreign intelligence surveillance activities will no longer include any upstream internet communications that are solely "about" a foreign intelligence target. Instead, this surveillance will now be limited to only those communications that are directly "to" or "from" a foreign intelligence target. These changes are designed to retain the upstream collection that provides the greatest value to national security while reducing the likelihood that NSA will acquire communications of U.S. persons or others who are not in direct contact with one of the Agency's foreign intelligence targets.

In addition, as part of this curtailment, NSA will delete the vast majority of previously acquired upstream internet communications as soon as practicable.

NSA previously reported that, because of the limits of its current technology, it is unable to completely eliminate "about" communications from its upstream 702 collection without also excluding some of the relevant communications directly "to or from" its foreign intelligence targets. That limitation remains even today. Nonetheless, NSA has determined that in light of the factors noted, this change is a responsible and careful approach at this time.

After reviewing amended Section 702 certifications and NSA procedures that implement these changes, the FISC recently issued an opinion and order, approving the renewal certifications and use of procedures, which authorize this narrowed form of Section 702 upstream internet collection. A declassification review of the FISC's opinion and order, and the related targeting and minimization procedures, is underway.

The National Security Agency works tirelessly around the world to help keep the nation safe. We have a solemn responsibility and commitment to do this work exactly right. When incidents occur, we immediately report them to oversight bodies and develop appropriate solutions. We never stop putting improvements in place while carrying out our critical mission.


Susan Hennessey was the Executive Editor of Lawfare and General Counsel of the Lawfare Institute. She was a Brookings Fellow in National Security Law. Prior to joining Brookings, Ms. Hennessey was an attorney in the Office of General Counsel of the National Security Agency. She is a graduate of Harvard Law School and the University of California, Los Angeles.

Subscribe to Lawfare