National Security Agency broke court rules with queries of phone database

Organisation declassifies documents on privacy protections between 2006 and 2009

The National Security Agency campus in Fort Meade, Maryland. The agency has secretly circumvented or cracked much of the digital scrambling that protects global commerce, e-mails, phone calls, medical records and web searches, according to newly disclosed documents. Photograph: Government handout via The New York Times
The National Security Agency campus in Fort Meade, Maryland. The agency has secretly circumvented or cracked much of the digital scrambling that protects global commerce, e-mails, phone calls, medical records and web searches, according to newly disclosed documents. Photograph: Government handout via The New York Times

The National Security Agency routinely violated court-ordered privacy protections between 2006 and 2009 by examining phone numbers without sufficient intelligence tying them to associates of suspected terrorists, according to US officials and newly declassified documents.

The Foreign Intelligence Surveillance Court, which oversees requests by spy agencies to tap phones and capture email in pursuit of information about foreign targets, required the NSA to have a “reasonable articulable suspicion” that phone numbers were connected to suspected terrorists before agents could search a massive call database to see what other numbers they had connected to, how often and for how long.

But between 2006 and 2009, the agency used an “alert list” to search daily additions to the US calling data, and that list contained mostly numbers that merely been deemed of possible foreign intelligence value, a much lower threshold.

The alert list grew from about 3,980 phone numbers in 2006 to 17,835 by early 2009, and only 2,000 of the larger number met the required standard for certified reasonable suspicion of a terrorist tie, officials said.

READ MORE

Each inquiry could scan for the phone number’s called contacts and then those people’s contacts, so that many more US residents could have been swept up.

But in official briefings for the press yesterday, intelligence authorities said that those numbers on the alert list were only checked against new calls, not the historical record of all calls, so that no full “chain analysis” usually resulted.

“This was used by analysts to try to prioritise their work,” one official said. “If you’re trying to pick 25 players for a major league baseball team, you might give 500 a tryout.”

But about 600 US numbers were improperly passed along to the Central Intelligence Agency and Federal Bureau of Investigation as suspicious, the records show.

In addition, scores of analysts from the sister agencies had access to the calling database without proper training.

The new disclosures add a fresh perspective to recent statements by the NSA Director Keith Alexander than only 300 or so numbers were run against the master calling database in 2012.

That was years after the secret court concluded it had been badly misled, ordered a temporary halt to the automated searches, and mulled contempt proceedings before the NSA drastically curtailed its practices.

In January 2009, the court ruled that the alert-list procedure was “directly contrary to the sworn attestations of several executive branch officials.”

Alexander and other officials responded with filings maintaining that no one at the NSA had fully understood all of the rules around the calling-records database, the software used to search it, and the significance of internal markings.

"From a technical standpoint, there was no single person who had a complete technical understanding," General Alexander told the court in February 2009. He said numerous officials made honest mistakes, such as concluding that restrictions on "archived" phone records did not also apply to the daily influx of new calling records.

The documents were declassified by the Office of the Director of National Intelligence after a long fight with the Electronic Frontier Foundation and the American Civil Liberties Union, that filed a Freedom of Information Act lawsuit two years ago.

The lawsuit gained steam after former NSA contractor Edward Snowden leaked thousands of documents about the agency's practices, including an earlier surveillance court ruling compelling Verizon Communications to turn over all its raw calling records, though not the content of the calls.

Officials confirmed that document was genuine and declassified some related papers.

In another lawsuit, the government last month released another ruling by the same 11-member court that found some of the NSA’s email collection practices were unconstitutional because they scooped up tens of thousands of emails between Americans.

Two Democratic senators who have long hinted about undisclosed surveillance problems, Ron Wyden for Oregon and Mark Udall for Colorado, said in a joint statement: "When the executive branch acknowledged last month that 'rules, regulations and court-imposed standards' intended to protect Americans' privacy had been violated thousands of times each year, we said that this confirmation was 'the tip of a larger iceberg.'

“With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg.”

Director of National Intelligence James Clapper said in a statement online that the latest declassified documents showed that intelligence officials had self-reported problems with the programme and corrected them.

“The government has undertaken extraordinary measures to identify and correct mistakes that have occurred in implementing the bulk telephony metadata collection programme - and to put systems and processes in place that seek to prevent such mistakes from occurring in the first place,” Mr Clapper said.

For a time after the 2009 phone-record ruling, the NSA was required to seek court approval for every query to the database.

After the NSA changed its procedures, the court again allowed the agency to conduct queries on its own.

Reuters