The National Security Agency has promised over and over again that it only spies on foreigners, and throws out ordinary communications if they're caught in the surveillance driftnet. But a pair of newly-leaked documents appear to undermine that claim. They include provisions that let the electronic spy agency hang onto some communications of Americans for several years - and in the meantime, allow the NSA to share information about U.S. citizens and legal residents to the CIA and the FBI. And if the government suspects that an American might commit a crime or spy for a foreign power some day, those records can be kept, too.
The documents, which were approved by the Foreign Intelligence Surveillance Court in July 2009 and published Thursday by the Guardian, offer the clearest picture yet of the NSA's so-called minimization and targeting procedures. They're also sure to re-ignite a debate about the NSA's surveillance activities - just as that discussion appeared ready to die down.
The document on minimization advises NSA personnel to "exercise reasonable judgment" in deciding whether to redact information about U.S. citizens or legal residents that is inadvertently collected during searches of foreigners' communications from intelligence reports or NSA databases. However, the agency is allowed to hang onto U.S. persons' communications for a period up to five years, the document says.
Analysts "will destroy" the information at the "earliest practicable point" that it can be determined to have no foreign intelligence value (for instance, it doesn't concern a spy or a terrorist) or that it doesn't contain any information about a crime, the document says.
"The communications that may be retained include electronic communications acquired because of limitations on NSA's ability to filter communications." This appears to mean that the agency can hang onto information that it is unable to definitively determine is not foreign in nature.
To help determine whether the target of surveillance is in fact a foreigner outside the United States, the NSA is allowed to use numerous databases, including those that contain phone numbers, Internet metadata, and human intelligence reports from the CIA. The documents indicate that the NSA is using its database of all domestic phone calls, known as Mainway, as well as metadata that's obtained during searches of Internet communications through the PRISM system.
It's during those Internet searches that the communications of innocent Americans are most likely to be swept up and disseminated across the government in secret reports. But according to the NSA's minimization rules, the agency may hand over "unminimized communications" to the CIA and the FBI. Those agencies are supposed to follow their own minimization procedures, but they are not described in the NSA document.
The NSA also is allowed to disseminate information on U.S. persons to foreign governments, so long as this is done in accordance with the agency's own minimization procedures. But these too raise puzzling questions.
For instance, the agency can use the names of a U.S. person in a disseminated report if "the information of or concerning the United States person is available publicly..." The document defines this as "information that a member of the public could obtain upon request, by research in public sources, or by casual observation." Does that mean the NSA can use a U.S. person's name if an analyst can Google it?
Not exactly. But if the NSA inadvertently collected, say, the tweets of a U.S. person, it could apparently use that U.S. person's name in reference to the tweets, because they are publicly available.
NSA also appears to be retain emails that use encryption, which is a common feature in some messaging services, such as Gmail.
"They are allowed to gather every encrypted email message," said Amie Stepanovich, the Director of the Domestic Surveillance Project at the Electronic Privacy Information Center. Based on the minimization document, Stepanovich said the NSA appears to retain these message for the purposes of understanding how to decrypt them and future messages that it might want to intercept.
"This document seems to allow the NSA to maintain a database of every encryption key to unlock any message that touches the United States," Stepanovich said.
Names of government officials may also be used in reports. And the name of a U.S. person can be used if he or she appears to be an agent of a foreign power or engaging in terrorist activities. There's no indication that such a determination is made or approved by the Foreign Intelligence Surveillance Court, which authorized the minimization procedures in the first place.
The NSA can also retain information about U.S. persons if the information concerns a crime that has been or is about to be committed, or if the information appears relevant to a "current or future intelligence requirement." In other words, it's information that would be useful for future spying by the government. These may include communications that have some "secret meaning" or are encrypted and that the agency might need to hang onto for future reference. NSA can retain that information for five years, unless the directors of its Signals Intelligence directorate determines in writing that "retention for a longer period is required to respond to authorized foreign intelligence or counterintelligence requirements."
If the NSA determines that a foreign target it's monitoring has entered the United States, it must terminate that monitoring "without delay," the document on targeting procedures says. However, if the agency can't be sure, it errs on the side of assuming that the target is a foreigner, and therefore fair game for collection.
"In the absence of specific information" about whether the target is a U.S. person, a person believed to be outside the country, or "whose location is not known," the individual "will be presumed to be a non-United States person" until positively identified otherwise. Analysts may also use subjective judgments, and consider whether "the nature or circumstances of the person's communications give rise to a reasonable belief" that the individual is really a U.S. person.
In some circumstances, NSA analysts also are allowed to listen to a phone call or read an email if they need to determine whether a target is actually in the United States. Analysts' monitoring of targets appears to be audited and maintained in a database of its own, according to the document. This allows for overseers to see the steps the analysts went through to determine whether the target was located outside the United States.
The oversight is conducted by the NSA itself, through it Signals Intelligence Directorate, working with the general counsel, the document says. The signals directorate conducts "periodic spot checks" to ensure that analysts are following the rules. The Justice Department and the Office of the Director of National Intelligence also conduct reviews at least once every sixty days. NSA is required to report to these agencies any instances of noncompliance within five business days of learning about the incident.
NSA is allowed to use leads from other agencies that might indicate whether the target is outside the United States, as well as statement from the target himself about his location. The agency can also rely on information obtained from computer hard drives, as well as tips from a foreign government to determine whether the target is outside the country.
When it comes to Internet communications, such as e-mails, the NSA can also consult its own database, which the document says includes "Internet communications metadata." This information may include IP addresses or "machine identifier information," which NSA compares to information in its "communication network databases" as well as commercially available sources of IP registrations.
The documents are dense and full of references to other authorities and orders that are not fully described. Bottom line, they appear to set some hard rules for avoiding targeting the communications of a U.S. person, but once that information is collected, even accidentally, there's a lot that the NSA can still do with it.
Accidental collection of U.S. citizens' electronic communications happens fairly frequently, according to Jay Healey, director of the Atlantic Council's cyber statecraft initiative who served as a U.S. Air Force intelligence officer in the 1990s.
"I started out my career as a signals intelligence officer, so I did my time listening to other people," said Healey during an event at the Brookings Institution in Washington. "I was, in that role, responsible at my unit if we gathered information on U.S. citizens, [while stationed at signals intelligence] site that actually happened to be on U.S. soil where it came up a couple of times a month where we actually would accidentally pick up someone, it was often a fishing boat or someone else doing other stuff."
He described the procedures then in place -- remember, this is before 9/11 and the Patriot Act -- to keep the eavesdroppers from including information on U.S. citizens in their intelligence reports.
"Operators were trained not to open an official file until they were sure it wasn't a U.S. person, if it did, they weren't in trouble, but they were frowned at," said Healey. "We had procedures to then take care of this information and make sure that it certainly didn't make it into reports and that we would go about taking it out of the records so that it didn't stay collected. I'm pretty confident about the process that went into this being legal and constitutional with regards to U.S. citizens."
Still, "I've gotta say the scope and scale of it leaves me, as a former SIGINT guy, leaves me gasping at the audacity and the scale of what happened," said Healey of the NSA's bulk collection of millions of American's cellphone records.
Those records are supposed to be stored in a restricted file that only 22 NSA staff are allowed to access if they have "reasonable, articulable suspicion" that any of those numbers have had contact with a terrorism suspect outside the U.S.
Healey also admitted that spies want to collect at much information as possible, allowing them, in essence, to have the entire haystack on hand as they look for needles inside it.
"The analogy I look at if you're dealing with intel guys, especially collectors, whether that's NSA or any other country's, is that they want to collect -- as an analogy -- a copy of every book ever written, even if they happen to get U.S. books in there. But, if they're gonna look at any single page that happens to be a U.S. citizen, the restrictions" come into play.
Healey's comments echo Deputy U.S. Attorney General Robert Cole's defense of the government's large-scale collection of cellphone and other business records.
"If you're looking for a needle in a haystack, you've got to get the haystack first," said Cole during a June 18 House intelligence committee hearing on the matter. "That's why we have the ability under the [FISA] court order, to acquire . . . all of that data, we don't get to use all of that data, necissarily."
Cole went on to insist that, "you have to have reasonable, arcticulable suscpision to actually use that data. If we want to find that there's a phone number that we believe is connected with terrorist organizations and terrorist activity, we need to have the rest of the haystack, all the other numbers, to find out which ones it was in contact with."
This came during the same hearing that NSA chief Gen. Keith Alexander had the following exchange with House intelligence committee chair Rep. Mike Rogers about collecting intelligence on Americans.
"Is the NSA able to listen to phone calls or read American's emails?" asked Rogers.
"No," replied Alexander.