For the Civil Rights Litigation Clearinghouse collection of FISA matters, see our special collection
On November 18, 2013, the Director of National Intelligence authorized the declassification and public release of numerous orders approving the National Security Agency's ("NSA") so-called "Bulk Internet Metadata Program" under Section 402 of the Foreign Intelligence Surveillance Act of 1978 ("FISA"), commonly referred to as the Pen Register and Trap and Trace (PR/TT) provision, or Section 214 of the USA PATRIOT Act. Press release available here
. On August 11, 2014, the Director of National Intelligence authorized another declassification and public release of additional documents regarding the now-discontinued NSA Bulk Electronic Communications Metadata Program pursuant to Section 402 of FISA. Press release available here
Under the program, the NSA collected records from large telecommunication companies about electronic communications metadata. These records included the "to," "from," "cc," and "bcc" lines of an email and the email's time and date. The program did not authorize the collection of content of any electronic communications. Once collected, the records were stored for several years and were authorized to be queried, used, and disseminated only in accordance with "minimization rules" proposed by the government and approved by the Foreign Intelligence Surveillance Court ("FISC"). The most basic aspect of the minimization rules was that the metadata records were to be queried only when there was a reasonable suspicion, based on specific and articulated facts, that the identifier used as the basis for the query was associated with specified foreign terrorist organizations.
NSA collection of email metadata began in 2001, as part of the "President's Surveillance Program." Apparently the government took the position that internet metadata could be collected lawfully without court order because the NSA did not actually "acquire" communications until particular items were selected for review, after they showed up via query. But after Department of Justice lawyers raised objections to this theory, and accordingly to the program's legality, the Attorney General sought judicial ratification of the internet metadata program under the FISA pen/trap provisions, and the FISA Court blessed it in an order dated July 14, 2004. Except for a brief period in 2009, the FISC reauthorized the program approximately every 90 days until the Obama administration discontinued it in 2011. As of April 2014, only three FISC opinions and four FISC orders related to the internet metadata collections program have been released. All the opinions and orders have been significantly redacted. They nonetheless explain a good deal about how the program worked.
The volume of material collected was "enormous" from its beginning, as the first of these opinions explains. At the start, the government aimed "to build a meta data archive that will be, in relative terms, richly populated with [redacted] related communications." As the Court reported the government's initial intentions, "[s]ome proportion of these communications-less than half, but still a huge number in absolute terms-can be expected to be communications [redacted] who bear no relation to [redacted]." In 2009 or 2010, however, the government "in comparison with prior dockets, [sought] authority to acquire a much larger volume of metadata at a greatly expanded range of facilities." The growth in volume and scope included extending collection beyond the "streams of data with a relatively high concentration of Foreign Power communications" that had previously been the focus. Until the program ended, in 2011, the pen/trap bulk collection began to reach "electronic communications, the vast majority of which, viewed individually, are not relevant to the counterterrorism purpose of the collection, and many of which involve United States persons."
The FISC initially approved the internet metadata program in 2004 in an opinion by Judge Colleen Kollar-Kotelly under docket PR-TT [redacted], NS-DC-0028
in this Clearinghouse.
After allowing the authorization to expire in the fall 2009, the government worked on addressing the compliance issues that had plagued the program. The next ruling that has been publicly released was issued in July 2010 by FISC Judge John D. Bates. In the 117-page opinion
and the primary order
, Judge Bates granted the government's application to renew the program in part and denied it in part.
Prior to this July 2010 application, the government had elected to allow the authorization for the program to expire for several months. Judge Walton had directed the government not to access or transfer the information previously obtained because of some of it had been obtained without authorization. The compliance issues were discussed in NS-DC-0063
, and NS-DC-0065
in this Clearinghouse. The compliance issues in the PR/TT program were similar to those in the bulk telephony metadata collection program, and FISC Judge Reggie Walton ordered a review of both programs in March 2009. See FISA Docket 08-13, NS-DC-0011
, in this Clearinghouse.
differed from previous applications because the government sought authorization to query and use information previously obtained by the NSA, regardless of whether the FISC had authorized its collection under prior PR/TT orders.
Along with the application, the government submitted a Memorandum
of Law and Fact in Support of the application. The government submitted a Declaration
of General Keith B. Alexander, Director of the NSA, in support of the application. Finally, the government submitted "Exhibit D"
in support of the application. Exhibit D was correspondence from the government to the Court responding to certain factual and/or legal inquiries made by Judge Bates regarding the government's proposed application.
Three letters in response to the Court's questions concerning the Internet Metadata Collection Program have been released. While much of the first letter
has been redacted, it does discuss storing, accessing, and querying the metadata once it has been collected. All of the content of the second letter
has been redacted. Finally, the third letter
discusses tracking query results and the dissemination of intelligence reports. The government also addresses its request for a legal principle that would permit the government to access and use the over-collected data.
In his opinion and order, Judge Bates noted that previous orders authorizing the internet metadata program included "important constants:" each order limited the collection to certain categories of metadata; analysts were required to limit queries by the reasonable articulable suspicion standard; and the NSA was limited in how and to whom information was disseminated. However, this application "acknowledges that the NSA exceeded the scope of authorized acquisition continuously during the more than [redacted] years of acquisition under these orders."
Judge Bates then reviewed Judge Kollar-Kotelly's 2004 opinion initially authorizing the program and the rationale supporting her opinion, NS-DC-0028
in this Clearinghouse. During that initial period of authorization, the government had disclosed that the NSA had exceeded the scope of what the government had requested and the FISC had approved. The unauthorized collection did not result from technical difficulties or malfunction, but from a failure of NSA officials to communicate minimization procedures and other safeguard requirements. Judge Kollar-Kotelly renewed the authority for the program, but implemented additional safeguard requirements including random spot checks by the NSA Office of General Counsel for compliance. However, as discussed previously, more compliance issues surfaced, involving (1) accessing of metadata; (2) disclosure of query results and information derived therefrom; and (3) overcollection.
Judge Bates ultimately held that the proposed collection fell within statutory requirements, but that the government could not access data from previously-conducted unauthorized collection. Judge Bates also ordered oversight and reporting: the NSA Office of General Counsel and Office of the Director of Compliance had to ensure proper training for NSA personnel, and the NSA had to submit a report every 30 days describing any instances in which the NSA shared information derived from the PR/TT program with anyone outside the NSA.
After Judge Bates granted authorization, the government submitted two letters to confirm their understanding of the issues relating to the authorization. Although mostly redacted, the first letter
identified five initial issues that the government needed confirmation of its understanding of the authorization as it applied to the five issues. The second letter
provided follow up information for issue four in the first letter. The rest of the letter has not been released.
These are the last FISC documents related to the internet metadata program released, at least so far. The final documents, in this Clearinghouse, are memoranda from the NSA's Office of Inspector General, which show that the program was halted in winter 2011. We do not have court documents explaining the events, but it is clear that the NSA shut down its internet metadata program in the winter of 2011, after allowing its final FISC authorization to expire.
We know this from two memos the NSA Office of Inspector General circulated within the NSA. In the first memo
, the IG's Office announced an audit to test whether adequate controls ensured the NSA's compliance with key terms of the FISC order for PR-TT devices. In the second memo
, the IG's Office suspended that audit after the government allowed the authorization for the Internet Metadata Collection Program to expire.
In November 2015, the New York Times reported
that the NSA ended the program because it was able to obtain the same information with less regulation. It could collect bulk data--including U.S. domestic data--in other countries, tapping into fiber optic cables abroad. (The rule against IC analysis of Americans' data collected abroad was changed
in 2010). And/or it could use the authority of Section 702 of the FISA Amendments Act of 2008, which permits warrantless surveillance that targets specific noncitizens abroad, including their new or stored emails to or from Americans. This reporting was based on FOIA-obtained documents, available here
.Elizabeth Homan - 04/27/2014
Jessica Kincaid - 01/31/2015