Tech Law

NSA Admits Improper Collection of Phone Data, 2nd Time Around

The American Civil Liberties Union on Wednesday released documents showing the United States National Security Agency improperly collected Americans’ call and text logs in November 2017 and in February and October 2018.

The unauthorized collections occurred just four months after the agency announced it was deleting more than 620 million call detail records acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act.

The NSA relied on the improperly collected information from the February 2018 violation to seek approval from the Foreign Intelligence Surveillance Court to spy on individuals, the ACLU said.

The NSA later informed the court of the error, the ACLU noted, but there’s no indication whether anyone was spied on unlawfully as a result, or whether the agency notified people improperly spied upon as required.

In October, the NSA again discovered it had obtained private information about Americans’ phone calls in violation of Section 215 of the Patriot Act.

The agency stopped receiving data from the carrier involved but resumed accepting data after the carrier indicated it had resolved the problem, according to the ACLU.

The ACLU obtained the redacted documents by filing a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence in December.

The 2015 USA Freedom Act, adopted in 2015 after Edward Snowden disclosed the NSA’s surveillance activities, restricts the government’s phone record program, noted Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation.

“We’ve learned that the NSA has been entirely unsuccessful in working within these limits, leading to the continued collection of hundreds of millions of phone records, including many it was not entitled to under the law,” Crocker told TechNewsWorld.

The Carriers’ Fault?

The NSA blamed the renewed spying on carriers’ mistakes, stating that technical irregularities led it to receive call detail records it was not authorized to obtain.

“We don’t know what caused the NSA’s egregious noncompliance,” said Sandra Fulton, government relations director at Free Press.

“Broadly it seems to be the result of at least one carrier overproducing the amount of user data it is meant to give the agency, but within the system designed by the NSA, so the fault is on both sides,” she told TechNewsWorld.

“While it is entirely possible there could be a sinister reason behind it, we’ve seen time and time again the nature of bureaucratic inefficiencies when dealing with large agencies,” said Heidari Power Law Group attorney Yasha Heidari.

“Otherwise, I would expect a more evasive response — and indeed, I would not believe we would even be hearing about this issue,” he told TechNewsWorld.

Blame It on Technology

“Presented with a request for a particular population of numbers and associated dial information, you’re going to capture a lot of extra stuff,” said Michael Jude, program manager at Stratecast/Frost & Sullivan.

“Metadata is leaky,” he told TechNewsWorld. “Even criminals and enemy agents make calls to local pizza places, and you have all that information captured in the metadata. I don’t think technology is up to protecting people’s privacy and call patterns.”

The bigger question, Jude noted, is whether the NSA is using the data the way it should.

National Security’s Sometimes Broad Brush

The NSA for years has fought calls for greater transparency on the grounds of national security.

It has not yet responded to a demand from six Democratic Party Senate Intelligence Committee members to release a public update on its mass phone data collection program, Free Press’ Fulton said.

A court this spring dismissed the Electronic Frontier Foundation’s lawsuit challenging the NSA’s surveillance of Americans — Jewel v. NSA — on national security grounds. The EFF filed an appeal with the Ninth Circuit Court of Appeals.

The NSA this spring also recommended dropping the phone surveillance program, according to reports, because its logistical and legal issues outweighed any intelligence benefits. It apparently has quietly killed the program since then.

Demands for More Safeguards

The ACLU on Tuesday wrote the House Judiciary Committee urging it to end the NSA’s Section 215 call detail record authority and to investigate and make public additional information about the agency’s recent compliance violations.

The NSA may have replicated its collection of surveillance data under a different authority, ACLU Senior Legislative Counsel Neema Singh Giuliani speculated, and she urged Congress to prevent resurrection of the program.

She also suggested Congress do the following:

  • Let Section 215 of the Patriot Act expire at the end of the year as scheduled;
  • Pass additional reforms to halt large-scale surveillance being conducted under other Patriot Act authorities;
  • Strengthen existing First Amendment protections;
  • Limit how federal agencies can access and use information that’s collected, and ensure they provide notice to individuals when information is used in criminal proceedings;
  • Close the backdoor search loophole in Section 702 of the FISA Amendments Act; and
  • Reform the FISC.

Meanwhile, Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., and Reps. Justin Amash, R-Mich., and Zoe Lofgren, D-Calif., jointly introduced the “Ending Mass Collection of Americans’ Records Act,” S. 936 and H.R. 1942, in the Senate and House respectively.

S. 936 has a mere 4 percent chance of being enacted, according to Skopos Labs.

“This bipartisan effort to end the NSA’s call detail record authority is a welcome sign and something that should be a no-brainer for Congress,” ACLU spokesperson Abdullah Hasan remarked.

“We agree with the senators that broader legislative reforms to the NSA’s surveillance authorities are needed,” he told TechNewsWorld, “including limiting large-scale collection of data, preventing discrimination and First Amendment violations, and enhancing transparency.”

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Tech Law

Technewsworld Channels