Democrats ramp up warnings on Russian election meddling
Newly declassified memos detail extent of improper Obama-era NSA spying
The National Security Agency and FBI violated specific civil liberty protections during the Obama administration by improperly searching and disseminating raw intelligence on Americans or failing to promptly delete unauthorized intercepts, according to newly declassified memos that provide some of the richest detail to date on the spy agencies' ability to obey their own rules.
The memos reviewed by The Hill were publicly released on July 11 through Freedom of Information Act litigation by the American Civil Liberties Union.
They detail specific violations that the NSA or FBI disclosed to the Foreign Intelligence Surveillance Court or the Justice Department's national security division during President Obama's tenure between 2009 and 2016. The intelligence community isn't due to report on compliance issues for 2017, the first year under the Trump administration, until next spring.
The NSA says that the missteps amount to a small number - less than 1 percent - when compared to the hundreds of thousands of specific phone numbers and email addresses the agencies intercepted through the so-called Section 702 warrantless spying program created by Congress in late 2008.
"Quite simply, a compliance program that never finds an incident is not a robust compliance program," said Michael Halbig, the NSA's chief spokesman. "The National Security Agency has in place a strong compliance program that identifies incidents, reports them to external overseers, and then develops appropriate solutions to remedy any incidents."
But critics say the memos undercut the intelligence community's claim that it has robust protections for Americans incidentally intercepted under the program.
"Americans should be alarmed that the NSA is vacuuming up their emails and phone calls without a warrant," said Patrick Toomey, an ACLU staff attorney in New York who helped pursue the FOIA litigation. "The NSA claims it has rules to protect our privacy, but it turns out those rules are weak, full of loopholes, and violated again and again."
Section 702 empowers the NSA to spy on foreign powers and to retain and use certain intercepted data that was incidentally collected on Americans under strict privacy protections. Wrongly collected information is supposed to be immediately destroyed.
The Hill reviewed the new ACLU documents as well as compliance memos released by the NSA inspector general and identified more than 90 incidents where violations specifically cited an impact on Americans. Many incidents involved multiple persons, multiple violations or extended periods of time.
For instance, the government admitted improperly searching the NSA's foreign intercept data on multiple occasions, including one instance in which an analyst ran the same search query about an American "every work day" for a period between 2013 and 2014.
There also were several instances in which Americans' unmasked names were improperly shared inside the intelligence community without being redacted, a violation of the so-called minimization procedures that Obama loosened in 2011 that are supposed to protect Americans' identity from disclosure when they are intercepted without a warrant. Numerous times improperly unmasked information about Americans had to be recalled and purged after the fact, the memos stated.
"CIA and FBI received unminimized data from many Section 702-tasked facilities and at times are thus required to conduct similar purges," one report noted.
"NSA issued a report which included the name of a United States person whose identity was not foreign intelligence," said one typical incident report from 2015, which said the NSA eventually discovered the error and "recalled" the information.
Likewise, the FBI disclosed three instances between December 2013 and February 2014 of "improper disseminations of U.S. persons identities."
The NSA also admitted it was slow in some cases to notify fellow intelligence agencies when it wrongly disseminated information about Americans. The law requires a notification within five days, but some took as long as 131 business days and the average was 19 days, the memos show.
U.S. intelligence officials directly familiar with the violations told The Hill that the memos confirm that the intelligence agencies have routinely policed, fixed and self-disclosed to the nation's intelligence court thousands of minor procedural and more serious privacy infractions that have impacted both Americans and foreigners alike since the warrantless spying program was created by Congress in late 2008.
Alexander Joel, who leads the Office of Civil Liberties, Privacy and Transparency under the director of national intelligence, said the documents chronicle episodes that have been reported to Congress and the Foreign Intelligence Surveillance Court for years in real time and are a tribute to the multiple layers of oversight inside the intelligence community.
"We take every compliance incident very seriously and continually strive to improve compliance through our oversight regime and as evidence by our reporting requirements to the FISC and Congress," he told The Hill. "That said, we believe that, particularly when compared with the overall level of activity, the compliance incident rate is very low."
The FBI said it believes it has adequate oversight to protect Americans' privacy, while signaling it will be pushing Congress hard this fall to renew the Section 702 law before it expires.
"The FBI's mission is to protect the American people and uphold the Constitution of the United States," the bureau said in a statement to The Hill. "When Congress enacted Section 702, it built in comprehensive oversight and compliance procedures that involve all three branches of government. These procedures are robust and effective in identifying compliance incidents. The documents released on July 11, 2017 clearly show the FBI's extensive efforts to follow the law, and to identify, report, and remedy compliance matters.
"Section 702 is vital to the safety and security of the American people. It is one of the most valuable tools the Intelligence Community has, and therefore, is used with the utmost care by the men and women of the FBI so as to not jeopardize future utility. As such, we continually evaluate our internal policies and procedures to further reduce the number of these compliance matters."
The new documents show that the NSA has, on occasion, exempted itself from its legal obligation to destroy all domestic communications that were improperly intercepted.
Under the law, the NSA is supposed to destroy any intercept if it determines the data was domestically gathered, meaning someone was intercepted on U.S. soil without a warrant when the agency thought they were still overseas. The NSA, however, has said previously it created "destruction waivers" to keep such intercepts in certain cases.
The new documents confirm the NSA has in fact issued such waivers and that it uncovered in 2012 a significant violation in which the waivers were improperly used and the infraction was slow to be reported to the court.
"In light of related filings being presented to the Court at the same time this incident was discovered and the significance of the incident, DOJ should have reported this incident under the our immediate notification process," then-Assistant Attorney General Lisa Monaco wrote the FISA court in Aug. 28, 2012, about the episode, according to one memo released through FOIA.
The NSA declined to say how often destruction waivers are given. But Joel, of the Office of the Director of National Intelligence, said the Foreign Intelligence Surveillance Court has supervised such waivers and affirmed they are "consistent with the Fourth Amendment of the Constitution and the statutory requirements of Section 702."
Other violations cited in the memos:
- Numerous "overcollection incidents" in which the NSA gathered information about foreigners or Americans it wasn't entitled to intercept
- "Isolated instances in which NSA may not have complied with the documentation requests" justifying intercepts or searches of intercepted data.
- The misuse of "overly broad" queries or specific U.S. person terms to search through NSA data.
- Failures to timely purge NSA databases of improperly collected intelligence, such as a 2014 incident in which "NSA reported a gap in its purge discovery processes."
In annual and quarterly compliance reports that have been released in recent years, U.S. intelligence agencies have estimated the number of Section 702 violations has averaged between 0.3 percent and 0.6 percent of the total number of "taskings." A tasking is an intelligence term that reflects a request to intercept a specific phone number or email address.
The NSA now targets more than 100,000 individuals a year under Section 702 for foreign spying, and some individual targets get multiple taskings, officials said.
"The actual number of compliance incidents remains classified but from the publicly available data it is irrefutable that the number is in the thousands since Section 702 was fully implemented by 2009," said a senior U.S. official with direct knowledge, who spoke only on condition of anonymity.
The increasing transparency on Section 702 violations is having an impact on both critics and supporters of a law that is up for renewal in Congress at the end of this year. Of concern are the instances in which Americans' data is incidentally collected and then misused.
Retired House Intelligence Committee Chairman Pete Hoekstra, a Republican who strongly supported the NSA warrantless spying program when it started under President George W. Bush, said he now fears it has now become too big and intrusive.
"If I were still in Congress today, I might vote with the people today to shut the program down or curtail it," Hoekstra, who has been tapped by Trump to be ambassador to the Netherlands, said in an interview.
"One percent or less sounds great, but the truth is 1 percent of my credit card charges don't come back wrong every month. And in my mind one percent is pretty sloppy when it can impact Americans' privacy."
This story was updated at 10:38 a.m.