How the NSA avoids listening to your phone calls (or tries to)
Before 9/11, if the NSA was in close pursuit of a terrorist who wanted to do harm to the United States, and that terrorist happened to book an airline that was owned by a U.S company, the agency was legally obligated to black out the name of the airline from any and all reports it sent on to the FBI. Why? As Kurt Eichenwald, who has written cogently about NSA data collection, points out, the NSA had to minimize, or excise, any incidental information about U.S. citizens, corporations, or legal residents that its analysts found.
In practice, the NSA would probably have found a way to verbally alert the FBI — its forced blindness was not supposed to be dumb — but minimization rules created a lot of procedural hurdles.
A former FBI agent who worked with the NSA before and after September 11 remembers the types of tips that counter-terrorism squad agents would get from their cousins in the intelligence business.
"We'd get names, or fragments or names, and maybe a date. And we'd get winks and nods that would tell us about how urgent it was. It was kind of frustrating," the agent recalls.
After 9/11, the NSA began to share a lot more data — such much so that FBI agents knew that the secret rules governing data collection had changed, but in a way that connected too many dots, rather than gave the bureau too few to work with.
How the NSA collects, stores, sifts, and discards information about "U.S. persons" is at the center of the debate about the collection of meta-data. The agency insists that minimization requirements are robust and well-audited. At the same time, it refuses to go into any detail about them.
Whenever the Foreign Intelligence Surveillance Court issues an order under section 215 of the PATRIOT Act, it attaches an appendix listing the rules that the NSA must follow. The same practice is in place for orders issued to a company whose data can be analyzed by the PRISM system.
PRISM allows NSA analysts to work with data on foreign intelligence targets that were collected by American companies. The orders that compel companies like Facebook and Yahoo to turn over customer records are much narrower and are based on the authority granted to the NSA by the 2008 FISA Amendments Act. On Friday, Facebook said that about 19,000 of its user accounts were requested by the government in the last six months of 2012. Most were from police agencies using subpoenas; some were from the FBI and the NSA, Facebook said.
At the same time, it's clear that the NSA collects far more information from the international users of, say, Facebook than what it gets from Facebook itself through the PRISM system.
Where does it get the stuff?
The answer lies in some of earliest whistleblowing about this generation of NSA technology.
It does not matter, legally, if the agency installs an electronic vacuum on the tip of a junction between large communication systems. What matters, legally, is what's done with the data that's collected. To handle the bulk collection systems that are designed to suck up international communications, the NSA uses a few basic tools to carve out, flag, or discard the domestic communications.
According to the Washington Post, email metadata is collected in the MARINA database, and telephone metadata is shunted to the MAINWAY database.
From my own inquiries on the subject, I've learned that MAINWAY's content is segregated by country and topic. It is the largest metadata repository in the NSA's arsenal. Numbers and records associated with U.S. persons are treated specially. Access to that compartmentalized portion of the database is audited in real-time. Every analyst who accesses the MAINWAY telephone records to query a U.S. person's telephone number is flagged. Determining the virtual owners of email addresses is harder. Analysts might use Google, or Lexis-Nexis, or other public tools, to try and see if a suspect email is associated with a U.S. citizen.
Every cell that's tasked with analyzing data from MARINA includes a complement of geolocation experts; their sole task is to use routing indicators and other metrics to determine the locations an email comes from. If an email originated outside the U.S., it still might belong to a U.S. person traveling overseas.
Since 2008, the NSA can't target that type of person without a FISA warrant, so another round of databases and tools are bolted on top of merely identifying the physical origin of the communication.
Individually analyzing each incoming email is impossible. So the NSA automates the minimization procedures as much as it can. Based on dynamic link analyses done by computers, scores are assigned to emails and associated profiles inside the system. Every bit of data associated with an email address that might belong to a U.S. person "updates" the score. Analysts can query the system for individual names, and email addresses, and even subject lines. They can add, if they want, the place and time that the email was collected, too. If the "score" associated with the email indicates that there is a 51 percent chance or higher that it belongs to a person overseas, the analyst can start monitoring content right away and not do anything further. If that score is less than 51 percent, the analyst can, if directed by a superior, start to access the content, if it's available, but the large team of lawyers the NSA has will be instantly notified, and a FISA order will be sought.
Sometimes, the NSA already has the content of a telephone call stored. You can infer how they might acquire the call; they can suck it up from a cell phone tower overseas, or from a listening device planted in an office, or from a telephone switch outside the United States. To understand what comes next, here's another hypothetical.
Let's say that the NSA has placed a collection device like a Stingray on a cell phone tower near the home of a known trafficker in nuclear components. That device, in conjunction with a satellite or a relay system, records all of the digital data associated with all incoming cell calls, as well as the calls itself. If that proliferator calls a telephone number in the U.S., one of three things can happen:
1. If the number called is a number for which the NSA has already gotten a court order to intercept, then the analyst can listen in on the call.
2. If the number is unknown to the analyst, he or she will use a variety of tools and databases to try and identify it. If the name (if there IS a name) that comes up at the end of THIS search is the target of an ongoing FISA order, then the analyst can continue to listen.
3. If the number is identified as belonging to a U.S. person who has heretofore never been identified with nuclear proliferation or anything else, then the analyst must electronically minimize the U.S. portion of the call. Sometimes, depending on who is doing the analysis, a computer will do this before the analyst has any say in the matter.
In the third instance, the U.S. person can become a target. Here's what happens: Generally, the NSA analyst will contact a superior, who will write a report attesting to the fact that a known nuclear proliferator called a telephone number inside the U.S. This report, called an IIR, will be forwarded to the FBI's electronic communication liaison unit with NSA, and will be flagged by both the FBI and the CIA. At this point, depending upon the situation, the FBI will run with the tip, or will coordinate with the CIA, or the NSA and FBI will use the IIR to seek a FISA order to monitor the person's communications.
But the standard the court looks for is higher: Probable cause must exist to show that the U.S. person belongs to a network of proliferation. If that standard is not met, the FBI will open an investigation and determine whether indeed the person meets the standard. If he or she does, then an order will be applied for; if not, the person will be ignored — to a point. The investigative records aren't thrown away. The stored communications — remember, the NSA already captured the call — will exist in an electronic database somewhere. If ANOTHER person associated with nuclear proliferation calls the same number, the signals intelligence analyst will be able to see this immediately; remember, the NSA databases operate iteratively.
How often does this happen? How often does a bad guy call into the U.S., necessitating the search of MAINWAY for a U.S. telephone number and the profile associated with it? The NSA said that this happens about 300 times a year. The figure is reported to Congress.
How often is an email searched using MARINA? This figure has not been disclosed. We do know that the auditing system in place has worked to catch NSA analysts who try and misuse the system. In 2008, an analyst who tried to look at Bill Clinton's email was caught and punished.
We also know that the databases are part of dozens that the NSA uses. The content of communication that's swept up by NSA's foreign intelligence programs finds a home in the PINWALE database. Analysts are allowed to query these databases to help the determine whether to proceed with an intercept or minimize; the agency says that these activities, too, are monitored and audited.
I've described, as best I can, the process of minimization. According to the New York Times, the FISA Court took a look at these procedures last year, and determined they were unconstitutional, and asked the NSA to rewrite them.
This may be why the NSA is shy about minimization.