RSS

How the NSA uses your telephone records

June 6, 2013, at 1:07 PM
The National Security Agency is collecting telephone records of millions of Verizon customers.

The National Security Agency is collecting telephone records of millions of Verizon customers. Photo: AP Photo/John Minchillo

Now that we have irrefutable proof that the National Security Agency collects and stores all of Verizon's telephone records, before we can use the "s" word — "spy" — we ought to get a better sense of what the agency, which is charged, you should know, with foreign intelligence collection, uses it for.

Of course, the rules are classified. They're probably classified at a higher level than the document provided to The Guardian because they're part of a specific compartmented NSA program that, government officials say, bears the code name "RAGTIME."

Ragtime is a SAP — a special access program — and analysts who work on the data provided by Verizon on customers who make calls to and from American phone numbers, are themselves segregated in a compartment within a compartment. They work on RAGTIME-P — the P stands for Patriot, as in the USA Patriot Act, which authorizes the bulk data collection that gives them stuff to analyze.

Verizon is one of a number of companies and Internet Service Providers who give the NSA bulk data.

The telephone metadata is stored in a database called MARINA, which keeps these records for at least five years.

In order to access the stored data sets, the NSA needs to have a real tangible reason. It's hard to believe this because the law seems to preclude them from collecting the data in bulk without a significant investigative purpose, but that law has been interpreted by the Foreign Intelligence Surveillance Court to relate only to the way in which the data is used.

That is, the NSA can collect the data so long as there is a good chance that it might need it for some future investigation.

They can't use the data unless there is a specific reason, a specific tip, a tip that has been — in theory, according to the rules as I understand them — certified by the attorney general.

This certification can come after the fact, meaning that the NSA can, without notice, dip into a portion of these records if exigent circumstances require it. They must then retroactively seek permission from the A.G., who then puts together an application for the FISA court to review. The FISA court can then review the application and send it back for more information, ordering the NSA to stop analyzing the data until the court is satisfied, or it can approve it.

The system covers for itself. Basically, the major telecoms really didn't want to get sued by customers for handing over their call records to the government without a warrant or an order. So they insisted on seeing a court order before doing so. Since the secret program depends upon the continuous provision of the bulk data, regulations require a new order every 90 days. The attorney general has to provide the FISA court with a justification as to why the bulk data ought to be collected. That's the "application" referred to in the Guardian document. That application remains classified.

So:

— The data is provided pursuant to a certification by the attorney general and an order by the court

— The data is stored in an NSA database

— The NSA receives information about a threat or a foreign intelligence opportunity, and then starts to analyze whatever portion of the data it wants, simultaneously working with the attorney general to provide an additional application to the FISA court to continue that actual analysis of a specific portion of the records, an identifiable tranch.

— If the NSA needs to access the content of calls or monitor them in real time, it must seek an additional order from the FISA court. These orders apply specifically to individuals, groups of individuals, or businesses.

The NSA would insist that it does not actually "spy" on you until it gets a further order, if at all. In most all circumstances, the FBI, not the NSA, would actually listen to your conversations if a FISA order was acquired. So merely "collecting" the data is like receiving a box full of records but not opening it until and unless they had a good reason to do so.

That metaphor is not terribly comforting, but it does appear to be the government's justification for insisting that they don't actually, actively "spy" on you. It is true: If they only compile these transactional records and don't do anything with them, and they faithfully honor this distinction, then the scale of the actual surveillance is not necessarily harmful, although it feels heavy. That's a big if. It depends on whether you believe the NSA follows the rules. I think its employees and analysts probably do, to the best of their ability. They are American citizens, many of them are members of the military, who swear an oath not to monitor (as in actively monitor/analyze) domestic telephone calls or emails. From a broad perspective, though, the level of oversight matters significantly.

So: How does Congress or the courts know that the NSA isn't just taking the bulk data and using it to create or find patterns out of the noise?

The NSA says it has internal audit mechanisms and an audit staff to make sure that every "analysis" has a paper trail. The intelligence committee receives regular briefings on the investigations or analyses conducted by the NSA, and the NSA's inspector general dips it to the analyst's folders at random intervals to make sure they're doing their job correctly.

If there's more to the oversight mechanism, it remains a secret, for now.

EDITORS' PICKS

THE WEEK'S AUDIOPHILE PODCASTS: LISTEN SMARTER

Facebook

Twitter

RSS

Subscribe to the Week