You are on page 1of 616

All redacted information exempt under (b)(1) and (b)(3).

SECRET

TAB
1

DESCRIPTION

Docket number

Docket number

Docket number

4
5

Docket number

Docket numbe

Docket numbe

Docket numbe

SECRET

TOP SECRET//COMJNT//NOFORN
UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, D.C.

IN RE APPLICATION OF THE FEDERAL BUREAU OF INVESTIGATION FOR AN ORDER REQUIRING THE PRODUCTION OF TANGIBLE THINGS

Docket Number: BR

An application having been made by the Director of the Federal Bureau of

Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), 1861, as amended, requiring the production to the National Se=ity Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:

TOP SECRET//COMJNT//NOFORN

1871 (c) (2)

PRODUCTION 1 DEC 2DD8

710

TOP SECRET//COMINT//NOFORN
1. The Director of the FBI is authorized to make an application for an order

requiring the production of any tangible things for an investigation to obtain foreign intelligence information not concerning a United States person or to protect agah-ist international terrorism, provided that such investigation of a United States person is not conducted solely on the basis of activities protect by the First Amendment to the Constitution of the United States. [50 U.S.C. 186l(c)(l)] 2. The tangible things to be produced are all call-detail records or "telephony metadata" created by Telephony metadata includes

comprehensive communications routing information, including but not limited to . session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc), trunk identifier, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. 2510(8), or the name, address, or financial information of a subscriber or customer. 1 [50 U.S.C. 186l(c)(2)(A)]

The Court understands that the vast majority of the call-detail records provided are expected to concern communications that are (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.
1

TOP SECRET//COMINT//NOFORN
2

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

711

TOP SECRET//COMINT//NOFORN
3. There are reasonable grounds to believe that the tangible thlngs sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, which investigations are not being conducted solely upon the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. 1861(<;)(1)] 4. The tangible things sought could be obtained with a subpoena duces tecum issued by a court of the United States in aid of a grand jury investigation or with any other order issued by a court of the United States directing.the production of records or. tangible thlngs. [50 U.S.C. 1861(c)(2)(D)] WHEREFORE, the Court irids that the application of the United States to obtain the tangible thlngs, as described in the application, satisfies the requirements of the Act and, therefore, IT IS HEREBY ORDERED, pursuant to the authority conferred on this Court by the Act, that the application is GRANTED, and itis FURTiiER ORDERED, as follows:

TOP SECRET//COMINT//NOFORN
3

1871 (c) (2)

PRODUCTION 1 DEC 2008

712

TOP SECRET//COMINT//NOFORN
(1)

secondary order, and continue production on an ongoing daily basis thereafter for the duration of this order, unless otherwise .ordered by the Court, of the following tangible things: all call-detail records or "telephony metadata" created by such companies as described above; (2) NSA shall compensate incurred in providing such tangible things; (3) With respect to any information the FBI receives as a result of this Order (information that is passed or "tipped" to it by NSA 2), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General's Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (October 31,
2003).

for reasonable expenses

(4) With respect to the information that NSA receives as a result of this Order, NSA shall adhere to the following procedures:

' The Court understands that NSA expects that it will provide on average approximately two telephone numbers per day to the FBI.

TOP SECRET//COMINT//NOFORN
4

1871 (c) (2)

PRODUCTION 1 DEC 2D08

713

TOP SECRET//COMINT//NOFORN
A. The Director of NSA shall establish mandatory procedures strictly to control access to and use of the archived data collected pursuant to this Order. Any search or analysis of the data archive shall oc= only after a particular known telephone number has been associated with More specifically, access to the archived data shall oc= only when NSA has identified a known telephone number for which, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable, articulable suspicion that the telephone number is associated with ; provided, however, that a telephone number believed to be used by a U.S. person shall not be regarde.d as associated with solely on the basis of activities that are protected by the First Amendment to the Constitution. B. The metadata shall be stored and processed on a secure private network that NSA exclusively will operate.
C. Access to the metadata archive shall be accomplished through a software

interface that will limit access to this data to authorized analysts. NSA's OGC

TOP SECRET//COMINT//NOFORN
5

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

714

TOP SECRET!!COMINT!!NOFORN
shall monitor the designation of individuals with access to the archive. Access to the archive shall be controlled by user name and password. When the metadata archive is accessed, the user's login, IP address, date and time, and retrieval request shall be automatically logged for auditing capability. NSA's Office of General Counsel (OGC) shall monitor the functioning of this automatic logging capability. Analysts shall be briefed by NSA's OGC concerning the authorization granted by this Order and the limited circumstances in which queries to the archive are permitted, as well as other procedures and restrictions regarding the retrieval, storage, and dissemination of the archived data. In addition, NSA' s OGC shall review and approve proposed queries of archived metadata based on seed accounts numbers reasonably believed to be used by U.S. persons. D. Although the data collected under this Order will necessa:ri.ly be broad, the use of that information for analysis shall be strictly tailored to identifying terrorist communications and. shall oc= solely according to 1;)1e procedures described in the application, including the rn.inirnization procedures designed to protect U.S. person informatfon. Specifically, dissemination of U.S. person information shall follow the standard NSA rn.inirnization procedures found in the

TOP SECRET//COMINT//NOFORN
6

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

715

TOP SECRET//COMINT//NOFORN
Attorney General-approved guidelines (U.S. Signals Intelligence Directive 18). Before information identifying a U.S. person may be disseminated outside of NSA, a judgment must be made that the identity of the U.S. person is necessary to understand the foreign intelligence information or to assess its importance. Prior to the dissemination of any U.S. person identifying information, the Chief of Information Sharing Services in the Signals Intelligence Directorate must determine that the information identifying the U.S. person is in fact related to counterterrorism information and that it is necessary to understand the counterterrorism information or assess its importance. A record shall be made of every such determination. E. Internal management control shall be maintained by requiring that queries of the archived data be approved by one of seven persons: the Signals Intelligence Directorate Program Manager for Counterterrorism Special Projects, the Chief or Deputy Oiief, Counterterrorism Advanced Analysis Division; or one of the four . specially authorized Counterterrorism Advanced Analysis Shift Coordinators in the Analysis and Production Directorate of the Signals Intelligence Directorate.

TOP SECRET//COMINT//NOFORN
7

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

716

TOP SECRET//COMINT//NOFORN
In addition, at least every ninety days, the Department of Justice shall review a sample of NSA' s justifications for querying the archived data. F. The metadata collected under this Order may be kept online (that is, accessible for queries by cleared analysts) for five years, at which time it shall be c;iestroyed. G. The Signals Intelligence Directorate Program Manager for Counterterrorism . Special Projects; Chief and Deputy Chief, Counterterrorism Advanced Analysis Division; and Counterterrorisrn Advanced Analysis Shift Coordinators shall establish appropriate management controls (e.g., records of all tasking decisions, audit and review procedures) for access to the archived data and shall use the Attorney General-approved guidelines (USSID 18) to minimize the information reported concerning U.S. persons. H. The NSA Inspector General, the NSA General Counsel, and the Signals Intelligence Directorate Oversight and Compliance Office shall periodically review this program. The Inspector General and the General Counsel shall submit a report to the Director of NSA 45 days after the initiation of the activity assessing the adequacy of the management controls for the processing and

TOP SECRET//CO:tvIINT//NOFORN
8

1871 (c) (2)

PRODUCTION 1 DEC 2008

717

TOP SECRET//COMINT//NOFORN
dissemmation of U.S. person information. The Director of NSA shall provide the findings of that report to the Attorney General.
I. Any application to renew or reinstate the authority granted herein shall

include a report describing (i) the queries that have been made since this Order was granted; (ii) the manner in which NSA applied the procedures set forth in subparagraph A above, and (iii) any proposed changes in the way in which the call-detail records would be received from the carriers.

I
I I I I I I I
I

TOP SECRET//COMINT//NOFORN
9

1871 (c) (2)

PRODUCTION 1 DEC 2008

718

TOP SECRET//COMINT//NOFORN
J. At least twice every 90 days, NSA's OGC shall conduct random spot checks, consisting of an examination of a sample of call-detail records obtained, to ensure that NSA is receivLrig only data as authorized by the Court and not receiving the substantive content of communications.

Signed _ _ _ _ _ _ _ _ _ _ Eastern Time Time Date This authorization regarding .

05-24-06P12: 19

in the United States and Abroad expires on the _a_ "ay of


August, 2006, at 5:00 p.m., Eastern Time.

~aA. MALCOLM].~~
Judge, United States Foreign hi.telligence Surveillance Court

TOP SECRET//COMINT//NOFORN
10

1871 (c) (2)

PRODUCTION 1 DEC 2008

719

TOP SECRET//COMil'i!//NOFORJ"

TOP SECRET/ICOMJNT//NOFORt'I
2

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

721

TOP SECRET//COMil'IT/!NOFORl'l

TOP SECRET//CO!'r!Il'l!//NOFORN
3

1871 (c) (2) PRODOC1 ION 1 DEC 2008

722

TOP SECR.ET!ICOT\'llNTllNOFORN
4

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

723

TOP SECRET//CO!V!INT//NOFOR!."'i

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

724

TOP SECRET//CO!VITNT//NOFORN

TOP SECRET//COM!NT/fNOFOR.N

T871 (c) (2)

PR.0-DUCT I ON 1 DEC 2008 725

TOP SECRET//COJ\.ffi'IT//NOFORN

TOP SECRET//COMINT//NOFORi"'-1
7

18 7 I (c) (2)

PRODUC I I ON

DEC 2008

726

TOI' SECRET//COMJNT//NOFOR.l'1

TOiP SECRETl/COlYillff//NOFORi'l
8

18 71 (c) (2)

PRODOC 11 ON 1 DEC 2008

727

TOP SECRET//COMfNT//NOFOR.N

TOP SECRET//COiV!:INT//NOFOPJ'I
9

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

728

TO? SECRET//COlVITNT//NOFORl'l 10

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

729

TOP SECRET//COJVIINT//NOFOR.!'1

TOP SECRET//COIVDNT/INOFOR.N

11

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

730

TOP SECRET//COM!NT//NOFORN
12

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

731

TOP SECR.ET//COM:D'IT//NOiFORL"I

TOP SECP.ET/ICOMINTllNOFORN
13

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

732

TOP SECRET//COMI:elT//NOFORl<q

TOP SECRET//COlYilNT//NOFORl"< 14

1871 (c) (2)

PRODUCTION 1 DEC 2008

733

TOP SECRET/!CO!.VITNTlfNOFOP....c'T

TOP

SECRET//COMJJ'fI/INOFOP~N

15

1871 (c) (2) PRODUCT I ON 1 DEC 2008

734

TOP SECR.ET//CO!i1DNT//NOFORN

TOP SECRET//COl\ffiIT/fNOFORN
16

1871 (c) (2)

PRODUCT I ON 1 DEC 2008

735

TOP SECRET//COMTI"1'T//NOFOitN" ..

TOP SECRET//COl\filIT//NOFORN

17

187 1 (c) (2)

PRODOC I I OIQ

DEC 2tl08

736

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 737

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 738

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 739

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 740

1871 (c) (2)

PRODUCT I ON 1 DEC 2D08 741

1871 (c} (2)

PRODUCT I ON 1 DEC 2008 742

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 743

1871 (c) (2)

PRODUCT! ON 1 DEC 2008 744

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 7 45

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 746

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 7 4 7

1871 (c) (2)

PRODUCTION 1 DEC 2DD8 748

1871 (c) (2)

PRODUCTION 1 DEC 2008 749

1871 (c) (2)

PRODUCTION 1 DEC 2008 750

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 751

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 752

1871 (c) (2)

PRODUCTION 1 DEC 2008 753

1871 (c).(2)

PRODUCTION 1 DEC 2008 754

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 755

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 756

1871 (c) (2)

PRODUCTION 1 DEC 2008 757

1871 (c) (2)

PRODUCTION 1 DEC 2008 758

1871 (c) (2)

PRODUCTION 1 DEC 2008 759

1871 (c) (2)

PRODUCTION 1 DEC 2DOR 7i:;n

1871 (c) (2)

PRODUCTION 1 DEC 2008 761

1871 (c) (2)

PRODUCTION 1 DEC 2008 762

1871 (c} (2}

PRODUCTION 1 DEC 2008 763

1871 (c) (2)

PRODUCTION 1 DEC 2008 764

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 765

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 766

1871 (c) (2)

PRODUCTION 1 DEC 2008 767

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 768

1871 (c) (2)

PRODUCTION

'"""

"~~-

1871 (c) (2)

PRODUCTION l DEC 2008 770

1871 (c) (2)

PRODUCTION 1 DEC 2008 771

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 772

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 773

1871 (c) (2)

PRODUCTION 1 DEC 2008 774

1871 (c) (2) PRODUCT/ON 1 DEC 2008 775

1871 (c) {2)

PRODUCT! ON 1 DEr. ?nno ., ., "

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 777

1871 (c) (2)

PRDDUCTlON 1 DEC 2008 1041

1871 (c) (2)

PRODUCTION 1 DEC 2008 1042

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1043

1871 (c) (2)

PRODUCTION 1 DEC 2008 1044

1871 (c) (2)

PRODU..CT I ON.. 1 DEC 2008 1045

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1046

1871 (c) (2)

PRODUCTION 1 DEC 2008 1047

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1048

1871 (c) (2)

PRODUCTION 1 DEC 200-8 1049 -

1871 (c) (2)

PRODUCTION 1 DEC 2008 1050

'

0 2006 Thom.soil/West. No Claim to Orig. U.S. GoVL Works.

1871 (cl

(?\

1871 (~) (2)

PRODUCTION 1 DEC 2008 1052

O 2006 Thomsoo!West. No Claim to Orig. U.S. Govt. Works.

1871

(c) (?\

DDn"'-1 ,..,_. -

1871 (c). (2)

PRODUCT I ON 1 DEC 2008 1054

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1055

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1056

1871 (c) (2)

PRODUCTION 1 DEC 2008 1057

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1058

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1059 ..

1871 (c) (2)

PRODUCT I ON 1 DEC 20D8 1 D60

1871 (c) (2)

PRODUCTION 1 DEC 2008 1os1

1871 (c) (2)

PRODUCTION 1 DEC 20013 1062

1871 (c) (2)

PRODUGJION__1 DEC 2008 1063

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1064

1871 (c) (2)

PRODUCTION 1 DEC 2008 1065

1871 (c) (2)

PRODUCTlnM

'""n ----

1871 (c) (2)

PRODUCT1n~1

"~~

--

1871 (c) (2)

PRODUCTION 1 DEC 200R 1nc:o

1871 (c) (2)

PRODUCTION 1 .DEC. 200R 1n""

1871 {c) (2)

PRODUCT I ON 1 DEC 20.08 1071

18 71 (c) (2)

PRODUCT I ON 1 DEC 2008 107 2

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1073

'
~

1871 (c) (2)

PRODUCT I ON 1 DE-C 2008 1074

1871 (c)

q)

PRODUCT I ON 1 DEG 2008 1075

1871 (c) (2)

PRODUCTION 1 DEC 2008 1076

1871 (c) (2)

PRODUCTION 1 DEC 2008 1077

1871 (c) (2)

PRODUCTION 1 DEC 2008 1078

1871 (c) (2)

--~RO.OU.CliDN_l_ DEC 2008 1079

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1080

1871 (c) (2)

PRODUCTION 1 DEC 2ooa 1081

1871 (c) (2)

PRODUCTION 1 DEC 2008 1082

1871.(c) (2)

PRODUCTION 1 DEC 2008 1083

1871 (c) (2)

PRODUCT I ON 1 DEC 2008 1084

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.
TOP SECRET//COMINT//ORCON,NOFORN//MR
UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT

Docket No.: BR 08-13

SUPPLEMENTAL OPINION This Supplemental Opinion memorializes the Court' s reasons for concluding that the records to be produced pursuant to the orders issued in the above-referenced docket number are properly subj ect to production pursuant to 50 U.S.C.A. 1861 (West 2003 & Supp. 2008), notwithstanding the provisions of 18 U.S.C.A. 2702-2703 (West 2000 & Supp. 2008), amended by Public Law 110-40 1, 501 (b )(2) (2008). As requested in the application, the Court is ordering production of telephone "call detail records or ' telephony metadata,"'which " includes comprehensive communications routing information, including but not limited to session identifYing information ... , trunk identifier, telephone calling card numbers, and time and duration of [the] calls," but "does not include the substantive content of any communication." Application at 9; Primary Order at 2. Similar productions have been ordered by judges of the Foreign Intelligence Surveillance Court ("FISC"). See Appli cation at 17. However, this is the first application in which the government has identified the provisions of 18 U.S.C.A. 2702-2703 as potentially relevant to whether such orders could properly be issued under 50 U.S.C.A. 1861. See Application at 6-8. Pursuant to section 1861, the government may apply to the FISC "for an order requiring the production of any tangible things (including books, records, papers, documents, and other items)." 50 U.S.C.A. 1861(a)(1) (emphasis added). The FISC is authorized to issue the order, "as requested, or as modified," upon a finding that the app lication meets the requirements of that section. 1..Q.,_ at 186 1( c)(1 ). Under the rules of statutory construction, the use of the word "any" in a statute naturally connotes "an expansive meaning," extending to all members of a common set, unless Congress employed "language limiting [its] breadth." United States v. Gonzales, 520 U.S. 1, 5 (l 997); accord Ali v. Federal Bureau of Prisons, 128 S. Ct. 83 1,836 (2008)

TOP SECRET//COMINT//ORCON,NOFORN//MR
Page 1

TOP SECRET//COMINT//ORCON,NOFORN/IMR
("Congress' use of'any' to modify ' other law enforcement officer' is most naturally read to mean law enforcement officers of whatever kind."). ' However, section 2702, by its terms, describes an apparently exhaustive set of circumstances under which a telephone service provider may provide to the government noncontent records pertaining to a customer or subscriber. See 2702(a)(3) (except as provided in 2702(c), a provider "shall not knowingly divulge a record or other [non-content] information pertaining to a subscriber or customer ... to any governmental entity"). In complementary fashion, section 2703 describes an apparently exhaustive set of means by which the government may compel a provider to produce such records. See 2703(c)( l ) ("A governmental entity may require a provider .. . to disclose a record or other [non-content] information pertaining to a subscriber ... or customer .. . only when the governmental entity" proceeds in one of the ways described in 2703(c)( I)(A)-(E)) (emphasis added). Production of records pursuant to a FISC order under section 1861 is not expressly contemplated by either section 2702(c) or section 2703( c)(l )(A)-(E). If the above-described statutory provisions are to be reconciled, they cannot all be given their full, literal effect. Tf section 1861 can be used to compel production of call detail records, then the prohibitions of section 2702 and 2703 must be understood to have an implicit exception for production in response to a section 1861 order. On the other hand, if sections 2702 and 2703 are understood to pro hi bit the use of section 1861 to compel production of call detail records, then the expansive description of tangible things obtainable under section 186l(a)(l ) must be construed to exclude such records. The apparent tension between these provisions stems from amendments enacted by Congress in the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and ObstTuct Terrorism Act ("USA PATRIOT Act"), Public Law 107-56, October 26, 200 1, I 15 Stat. 272. Prior to the USA PATRIOT Act, only limited types ofrecords, not

The only express limitation on the~ of tangible thing that can be subject to a section 1861 order is that the tangible thing "can be obtained with a subpoena duces tecum issued by a court of the United States in aid of a grand jury investigation or with any other order issued by a court of the United States directing the production of records or tangible things." Id. at 1861 ( c)(2)(D). Call detail records satisfy this requirement, since they may be obtained by (among other means) a "court order for disclosure" und er 18 U.S.C.A. 2703(d). Section 2703( d) penn its the government to obtain a court order for release of non-content records, or even in some cases of the contents of a communication, upon a demonstration of relevance to a criminal investigation.
1

TOP SECRET//COMINT//ORCON,NOFORN//MR
Page 2

TOP SECRET//COMINT//ORCON,NOFORN//MR
including call detail records, were subj ect to production pursuant to FISC orders. 2 Section 2 15 of the USA PATRIOT Act replaced thi s prior language with the broad description of "any tangible thing" now codified at section 186 1(a)( I). At the same time, the USA PATRIOT Act amended sections 2702 and 2703 in ways that seemingly re-affirmed that communications service providers could divulge records to the government only in specified circumstances, 3 without expressly referencing FISC orders issued under section 1861. The government argues that section 1861 (a)(3) supports its contention that section 1861(a)( 1) encompasses the records sought in tlti s case. Under section 1861 (a)(3), which Congress enacted in 2006,4 appli cations to the FISC for production of several categories of sensitive records, including "tax return records" and "educational records," may be made only by the Director, the Deputy Director or the Executi ve Assistant Director for National Security ofthe Federal Bureau of Investigati on ("FBI"). 18 U.S.C.A. 186 1(a)(3). The disclosure of tax return records5 and educational records 6 is specificall y regulated by other federal statutes, which do not by their own terms contemplate production pursuant to a section 186 1 order. Nonetheless, Congress clearly intended that such records could be obtained under a section 186 1 order, as demonstrated by their inclusion in section 1861(a)(3). But, since the records of telephone service providers are not mentioned in section 1861 (a)(3 ), this line of reasoning is not directly on point. However, it does at least demonstrate that Congress may have intend ed the sweeping description of tangible items obtainable under section 1861 to encompass the records of telephone service providers, even though the specific provisions of sections 2702 and 2703 were not amended in order to make that intent unmi stakably clear.

See 50 U.S.C.A . l862(a) (West 2000) (appJying to records oftranspor1ation carriers, storage facilities, vehicle rental facilities, and public accommodation facilities). Specifically, the USA PATRIOT Act inse11ed the prohibition on disclosure to governmental enti6es now codified at 18 U.S .C.A. 2702(a)(3), and exceptions to this prohibition now codified at 18 U.S.C.A. 2702(c). See USA PATRIOT Act 2 12(a)( l )(B)(iii) & (E). The USA PATRIOT Act also amended the text of 18 U.S .C.A. 2703(c)(1) to state that the government may require the disclosure of such records only in circumstances specifi ed therein. See USA PATRIOT Act 212(b )(1)(C)(i).
4
3

See Public Law 109- 177 106(a)(2) (2006).

See 26 U.S.C.A. 6103(a) (West Supp . 2008), amended by Public Law 110-328 3(b)(I ) (2008).
6

See 20 U.S.C.A. 1232g(b) (West 2000 & Supp. 2008).

TOP SECRET//COMINT//ORCON,NOFORN/!MR
Page 3

TOP SECRET//COMINT//ORCON,NOFORN/IMR
The Court finds more instructive a separate provision of the USA PATRJOT Act, which also pertains to governmental access to non-content records from communications service providers. Section 505(a) of the USA PATRIOT Act amended provisions, codified at 18 U.S.C.A. 2709 (West 2000 & Supp. 2008), enabling the FBI, without prior judicial review, to compel a telephone service provider to produce "subscriber information and toll billing records information." 18 U.S.C.A. 2709(a).7 Most pertinently, section 505(a)(3)(B) of the USA PATRIOT Act lowered the predjcate required for obtaining such information to a certification submitted by designated FBI officials asserting its relevance to an authorized foreign intelligence investigation. 8 Indisputably, section 2709 provides a means for the government to obtain non-content information in a manner consistent with the text of sections 2702-2703. 9 Yet section 2709 merely requires an FBI official to provide a certification of relevance. In comparison, section 1861 reqwres the government to provide to the FISC a "statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant" to a foreign intelligence investigation, 10 and the FISC to determine that the application satisfies this

This process involves service of a type of administrative subpoena, commonly known as a "national security letter." DavidS. Kris & J. Douglas Wilson, National Security Investigations and Prosecutions 19:2 (2007). Specifically, a designated FBI official must certify that the information or records sought are "rel evant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States." 18 U.S.C.A. 2709(b)(l)-(2) (West Supp. 2008). Prior to the USA PATRJOT Act, the required predicate for obtaining " local and long distance toll billing records of a person or entity" was " specific and articulable facts giving reason to believe that the person or entity ... is a foreign power or an agent of a foreign power." See 18 U.S.C.A. 2709(b)(1 )(B) (West 2000). Section 2703(c)(2) pennits the government to use "an administrative subpoena" to obtain certain categories of non-content information from a provider, and section 2709 concerns use of an administrative subpoena. See note 7 supra. 50 U.S.C.A. 186 1(b)(2)(A). More precisely, the investigation must be "an authorized investigation (other than a threat assessment) .. . to obtain foreign intelligence information not concerning a United States person or to protect against international tenorism or clandestine intelligence activities," id. , "provided that such investigation of a United States (continued ... )
10

TOP SECRET//COMINT//ORCON,NOFORN//MR
Page4

TOP SECRET//COMINT//ORCON,NOFORN//MR
requirement, see 50 U.S.C.A. 1861(c)( l ), before records are ordered produced. It would have been anomalous for Congress, in enacting the USA P ATRlOT Act, to have deemed the FBI's application of a "relevance" standard, without prior judicial review, sufficient to obtain records subject to sections 2702-2703, but to have deemed the FISC's application of a closely similar "relevance" standard insufficient for the same purpose. This anomaly is avoided by interpreting sections 2702-2703 as implicitly permitting the production of records pursuant to a FISC order issued under secti on 1861 . It is the Co urt' s responsibility to attempt to interpret a statute "as a symmetrical and coherent regu latory scheme, and fit, if possible, all pa1ts into an harmonious whole." Food & Drug Admin. v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 133 (2000) (internal quotations and citations omitted). For the foregoing reasons, the Court is persuaded that this objective is better served by the interpretation that the records sought in this case are obtainable pursuant to a section 186 1 order. However, to the extent that any ambiguity may remain, it should be noted that the legislative history of the USA PATRJOT Act is consistent with this expansive interpretation of section 186 1(a)(l). See 147 Cong. Rec. 20,703 (2001) (statement of Sen. Feingold) (section 2 15 of USA PA TRJOT Act "permits the Government . . . to compel the production of records from any business regarding any person if that information is sought in connection with an investigation of terrorism or espionage;" "all business records can be compelled, including those containing sensitive personal information, such as medical records from hospitals or doctors, or educational records, or records of what books somebody has taken out from the library") (emphasis added). In this regard, it is significant that Senator Feingold introduced an amendm ent to limit the scope of section 186 1 orders to records "not protected by any Federal or State law governing access to the records for intelligence or law enforcement purposes," but this limitation was not adopted. See 147 Cong. Rec. 19,530 (2001 ). ENTERED this

tJ.:tfday of December, 20

Judge, United States Foreign Intelligence Surveillance CoUJt

continued) person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution." Id. 1861 (a)(1). The application must also include mimmization procedures in conformance with statutory req uirements, which must also be reviewed by the FISC. Id. 186 1(b)(2)(B), (c)(1), & (g).

10 ( . ..

TOP SECRET//COMINT//ORCON,NOFORN//MR
Page 5

TOP SECRET//HCS/COMINT//ORCON,NOFORN~ .'

2UI

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET/fHCS/COMINT//ORCON,NOFORN

TOP SECRET/fHCS/COMINT//ORCON,NOFORN

10

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

II

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

12

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

13

TOP SECRET//HCS/COMINT/IORCON,NOFORN

TOP SECRET/IHCS/COMINTI/ORCON,NOFORN

14

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

15

TOP SECRET/IHCS/COMINT//ORCON,NOFORN

TOP SECRET/IHCS/COMINT//ORCON,NOFORN

16

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

17

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

18

TOP SECRETf/HCSfCOMINTffORCON,NOFORN

TOP SECRETf/HCSfCOMINTffORCON,NOFORN

19

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

20

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINTI/ORCON,NOFORN

21

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

22

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//RCS/COMINT//ORCON,NOFORN

23

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

24

TOP SECRET//HCS/COMINT//ORCON,NOFORN

TOP SECRET//HCS/COMINT//ORCON,NOFORN

25

SECRET

SECRET

(b)(1); (b)(3); (b)(6)

SECRET

SECRET
'
'

~age2

SECRET

SECRET

SECRET

SECRET
2

SECRET

SECRET
3

SECRET

SECRET
4

(b)(1); (b)(3); (b)(6)

SECRET 5

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.

U.S. Depairtment of Justice


Office of Legislative Affairs

Washington, JlC 20530

UNCLASSIFIED WHEN SEPARATl!:D FROM CLASSrFIED ENCLOSURE

March 5, 2009

The Honorable Patrick J. Leahy


C~ha1rr11an

The Honorabie Dianne Feinstein


C~hair1nan

on the Judiciary United States Senate Washinf:,'1.on, D.C. 20510 The Honorable John Conyers, Jr. Chairman Committee on the Judiciary U.S. House of Representatives Washington, D.C. 20515 Dt:;ar !v1adam and Messrs. Chaim1cn:

Cornmitte~;

Select Committee on Intelligence United States Senate Washington, D.C. 20510 The Honorable Silvestre Reyes Chairman Pennanent Select Committee on U.S. House of Representatives Washington, D.C. 20515

lntelligenc~e

In accordance with the Attorney General's obligation., pursuant to Sections 1846 :md l 862 of Foreign !ntdligence Surveillance Act of 1978, as amended ("FISA"), 50 U.S.C. 1801, et. seq., to keep your committees fully informed concerning all uses of pen registers and and trace devices, and all requests for the production o Ctangible things, wc arc submitting herewith certain documents related to the government's use of such authorities. The documents contain redactions necessary to protect the national security of the United States, including the protection of sensitive sources and methods.

enclosed documents are highly classified. Accordingly, while four copies are being provided fix rcvi ew by Mernbers and appropriately c learcd staff from each of the four Committees, all copies are being delivered to the Intelligence Committees for appropria1e storage.

TOP SECRET//COMlNT//NOFORN,ORCON
UNCLASSffIED \VHEN SEPARATED FROM CLASSIFIED Ei'ICLOSURE

B.onorab!e Patrick

j,

Leahy

Honorable Feinstein The Honorable John Conyers, Jr. The Honorable Silvestre Reyes Tvvo

'Ne hope that this information is helpfi.11. Please do not hesitate to contact this office if you would additional assistance regarding this or any other matter.
Sincerely,

. Faith Burton
Acting Assirnmt Attorney General

Encl.osures
cc: The Honorable Arlen Specter

Ranking Minority Member


Senate Committee on the Judiciary

The Honorable Christopher S. Bond Vice Chainnan Senate Select Committee on Intelligence
The Honorable Lamar S. Smith

Ranking Iv1inority Member


Honse Committee on the .l The Honorable Peter Hoekstra

Ranking r.ilinority Iv1ember House Permanenl Select Committee on Intelligence Honorable Colleen Kollar-Kotclly Presiding .l udge
States Foreign lntelligence Surveiilance Court

TOP SECRET//COMIN'f //NOFORN,ORCON


UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE

TOP SECRET//COIVIlNT//NOFORN//MR

UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, p.c.


IN RE PRODUCTION OF TANGIBLE THINGS Docket Number: BR 08-13

ORDER REGARDING PRELIMINARY NOTICE OF COMPLIANCE INCIDENT DATED JANUARY 15, 2009

On December 11, 2008, the Court authorized the government to acquire the tangible

things sought by the government in its application in Docket BR 08"13. The Court specifically ordered, however, that
access to the archived data shall occur only when NSA has identified a known telephone identifier for which, based on the factual and practical considerations of everyday life on

which reasonable and prudent persons act, there are facts giving rise to a reasonable,
articulable suspicion that the telephone identifier is associated with~d

provided, however, that a telephone identifier believed to be used by a U.S.


person shall not be regarded as associated with
.TOP SECRET//COJ.\1iNTflNOFORN//MR

- -

1846 & 1862 PRODUCTION 5 MARCH 2009

-1-

TOP SECRET//COMINT/!NOFORN/IMR

olely on the basis of activities that are protected by the First Amendment to the Constitution. Docket BR 08~l3i Primary Order at 8. On January 15, 2009, the Department of Justice notified the Court in writing that the government has been querying the business records acquired pursuant to Docket BR 08-13 in a manner that appears to the Court to be directly contrary to the above-quoted Order and directly contrary to the sworn attestations of several Executive Branch officials. See e.12:. lib.. Application at 10-11, & 20-21~ Declaration at 8; Exhibit B (NSA 120-Day Report) at 9 & 11-12. Given the massive production authorized by this Order,1 coupled with the limited information provided thus far by the government, the Court HEREBY ORDERS the government to file a written brief with appropriate supporting documentation, no later than 10:00 a.m., Tuesday, February 17, 2009, the purpose of which is to help the Court assess whether the Orders issued in th.is docket should be modified or rescinded; whether other remedial steps should be directed; and whether the Court should talce action regarding persons responsible for any misrepresentations to the Court or violation of its .Orders, either through its contempt pov-rers or by referral to appropriate investigative offices. In addition to any other information the government wishes to provide, the brief shall

As the government noted in its application, "[i]f authorized, the requested order will result in the production of call detail records pertaining to of telephone communications, including call detail records pertaining to communications of U.S. persons located 1vithin the United States who are not the subject of any FBI investigation." Id., Application at 12.
TOP SECRET//COMINT/NOFORN//1\1R

1846 & 1862 PRODUCTION 5 MARCH 2009

-2-

TOP SECRET//COMINT//NOFORN/!MR
specifically ad~ess the following issues:2 1. Prior to January 15, 2009, who, within the Executive Branch, knew that the "alert list" that WaS being used to query the Business Record database included telephone identifiers that had not been individually reviewed and detennined to meet the reasonable and articulable suspicion standard? Identify each such individual by name, title, and specify when each individual learned this fact. 2. 3. How long has. the unauthorized querying been conducted? How did the unauthorized querying come to light? Fully describe the circumstances surrounding the revelations.
4.

The application signed by the Director of the Federal Bureau ofinvestigation, the Deputy
Assistant Attorney General for National Security, United States Department of Justice

(''DOJ"), and the Deputy Attorney General of the United States 13-s well as the Declaration
of Deputy Program Manager at the National Security Agency

C'NSA"), represents that during the pendency of this order, the NSA Inspector General, the NSA General Counsel, and the NSA Signals Intelligence Directorate Oversight and Compliance Office each will conduct reviews of this program. Docket BR 08-13, Application at 27, Declaration at 11. The Court's Order directed such review. Id.,

The government reports in its Forty-five Day Report in Docket BR 08-13, filed on January 26, 2009, that it expects to report to the Court by February 2, 2009, "the actions it has taken to rectify this compliance incident." To the extent that report addresses the following questions, the government need not repeat the answers in response to this Order. Instead, the government may refer the Court to the appropriate page or pages of the February 2nd report.

TOP SECRET//COMIN'I'.lf;NOFORN//MR

1846 & 1862 PRODUCTION 5 MARCH 2009

-3-

TOP SECRET//COMJNT//NOFORN/IMR
Primary Order at 12. \Vhy did none of these entities that were ordered to conduct oversight over this program identify the problem earlier? Fully describe the manner in which each entity has exercised its oversight responsibilities pursuant to the Primary Order in this docket as well as pursuant to similar predecessor Orders authorizing the bulk production of telephone rnetadata. 5. The preliminary notic~ from DOJ states that the alert list includes telephone identifiers that have been tasked for collection in accordance with NSA's SIGINT authority. What standard is applied for tasldng telephone identifiers under NSA's SIGINT authority? Does NSA, pursuant to its SIGINT authority, task telephone identifiers associated with United States persons? If so, does NSA limit such identifiers to those that were not selected solely upon the basis of First Amendment protected activities? 6.

In what fom1 does the government retain and disseminate information derived from
queries run against the business records data archive?

7.

If ordered to do so, how would the government identify and purge information derived from queries run against the business records data archive using telephone identifiers that were not assessed in advance to meet the reasonable and articulable suspicion standard? The Court is exceptionally concerned about what appears to be a flagrant violation of its

Order in tltls matter and, while the Court will not direct that specific officials of the Executive

TOP SECRET//COMINTl,fNOFORN//MR

-4.:.

1846 & 1862 PRODUCTION 5 MARCH 2009

-4-

TOP SECRET//COMINT//NOFORN//MR
Branch provide sworn dec1arations in response to this Order, the Court expects that the declarants will be officials of sufficient stature that they have the authority to speak on behalf of the Executive Branch.
'

IT IS SO ORDERED) this 28th day of January 2009.

Judge, United States Foreign Intelligence Surveillance Court

OP SECRET//COMINT//.NOFORN//MR

TOP SECRET//COMINT//NOFORN//MR
,, 'J.

UNITED STATES
.

.Jl
']'

i~YEiLLEi)~!~J'<iCE \i.,_,f" r'[l/1,


'I

I.

rH.s.' . FCJIYrt~.. ,. /-LI 11,,:.


! /

l:.~~
~-

FOREIGN INTELLIG~NCE SURVEILLANCE CO~JKf'D9' WASHINGTON_, DC .

FEB f 7 ~N : lj l 9 CL[oi, OF _

......J!.f 1"
I\!

,,,

;-c.;ow~r

IN RE PRODUCTION OF TANGIBLE TIITNGS

Docket Number: BR 08-13

MEMORANDUM OF THE UNITED STATES IN RESPONSE TO THE COURT'S ORDER DATED JANAURY 28, 2009 (U)

The United States of America, by and through the undersigned Department of Justice attorneys, respectfully submits this memorandum and supporting Declaration of Lt. General Keith B. Alexander, U.S. Army, Director, National Security Agency (NSA), attached hereto at Tab 1 ('~exander Declaration"), in response to the Comt's Order Regarding Preliminary Notice of Compliance Incident Dated January 15, 2009 (')anuary 28 Order"). (TS) The Government acknowledges that NSA's descriptions to the Court of the alert list process described in the Alexander Declarntion were inaccurate and that the

TOP SECRET//COMINT//NOFORN//MR

1846 & 1862 PRODUCTION 5 MARCH 2009

-6-

TOP SECRET//COMINT//NOFORN//1\ffi.

Business Records Order did not prqvide the Government with authority to employ the alert list in the manner in which it did. (TS//SI//NF) For the reasons set forth below, however, the Court should not rescind or modify its Order in docket number BR 08-13. The Government has already taken significant steps to remedy the alert list compliance h1cident and has commenced a bro~der review of its handling of the rnetadata collected in this matter. In additionr the Government is taking additional steps to implement a more robust oversight regime. Finally, the Governn1ent respectfully submits that the Court need not take any further remedial action, including through the use of its contempt powers or by a referral to the appropriate investigative offices. 1 (TS//SI//NF)
BACKGROUND (U)

I.

Events Preceding the Court's January 28 Order (S)


In docket number BR 06-05, tI:e Government sought, and the Court authorized

NSA, pursuant to the Foreign Intelligence Surveillance Act's (FISA) tangible things provision, 50 U.S.C. 1861 et seq., to collect in bulk and on an ongoing ba.sis certain call

The I anuary 28 Order directed the Goverrunent to file a brief to help the Court assess how to respond to this matter and to address seven specific issues. This memorandum discusses the need for further Court action based, in part, on the facts in the Alexander Declaration, which contains de~ailed responses to each-of tl:te Court's specific questions. See Alexander Deel. at 24-39. (S)
1

TOP SECRET//COMINT//NOFORN//MR
2

1846 & 1862 PRODUCTION 5 MARCH 2009. -7-

TOP SECRET//COMINT//NOFORN//MR detail records or "telephony metadata," so that NSA could analyze the metadata using contact chain.in fools. 2 (TS//SI//NF)

FISA'"s tangible things provision authorizes the Director of the Federal Bureau of Investigation (FBI) or his designee to ap:rly to this Court for an order requiring the production of any tangible things (:including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence :information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution.
50 U.S.C. 1861(a)(1). FISA's tangible things provision directs the Court to enter an ex

12arte order requiring the production of tangible things and directing that the tangi'ble things produced in response to such an order be treated in accorda:1ce with m:inimization procedures adopted by the Attorney General pursuant to section 1861 (g), if the judge finds that the Government's application meets the requirements of 50 U.S.C.

1861(a) & (b). See 50 U.S.C. 1861(c)(1). (U)


In docket number BR 06-05 and each subsequent authorization)' includ:ing docket

number BR 08-13, this Court found that the Government's application met the require:rnents of 50 U.S.C. 1861(a) & (b) and entered an order d:irecting that the BR metadata to be produced-call detail records or telephony metadata-be treated in

The Government will refer herein to call Gl-stailr.ecords collected pursuant-to the Court's authorizations in this matter as "BR metadata. 11 (TS)
2

..., -:

- --

TOP SECRET//COMINT//NOFORN//MR
3

1846 & 1862 PRODUCTION 5 MARCH 2009

-8-

TOP SECRET//COMINT//NOFORN//MR accordance with the minimization procedures adopted by the Attorney General.

Among these minimization procedures was the following:

Any seaI'ch or analysis of the data archive shall occur only after a particular known tele hone number has been associated with r31More specifically, access to the archived data shall occur only when NSA has identified a known telephone number for which, based on the factual and practical considerations of everyday llie on which reasonable and prudent persons act, there are facts giving rise to a reasonable, articulable suspicion that the telephone number is associated with organization; provided, however, that a telephone number believed to be used by a U.S. person shall not be regarded as associated with solely on the basis of activities that are protected by the First Amendment to the Constitution.
Order, docket number BR 06"."05, at 5 (emphasis added); see also Memo. of Law in Supp. of Application for Certain Tangible Things for Investigations to Protect Against International Terrorism, docket number BR 06-05, Ex. C, at 20 (describing the above requirement as one of several rnin.in.1.ization procedures to be applied to the collected metadata). 4 (TS//SI//NF)

a Authorizatlons after this matter was initlated in May 2006 expanded the telephone

identifiers that NSA could query to those identifiers associated wi ~ generally docket number BR 06-05 (motion to amend granted in August 2006), and later the see generally docket number BR 07-10 (motion to amend granted in June 2007). The Court's authorization in docket number BR 08-13 ap roved querying related t Primary Order, docket number BR 08-13, at 8. (TS//SI/fNF.) addition, the Court's Order in docket number BR 06-05 and each subsequent authorization, including docket number BR 08-13, required that "[ a]lthough the data collected under this Order will necessarily be broad, the useof tli~t information for analysis-shall be strictly tailored to identifying terrorist communications and shall occur solely according to the
4 In

TOP SECRET//COMINT//NOFORN//MR 4

1846 & 1862 PRODUCTION 5

MARr.H ?nnQ

-Q-

TOP SECRET//COl\flNT//NOFORN//MR
On December 11, 2008, the Court granted the most recent reauthorization of the

BR meta.data collection. For purposes of querying the BR meta.data, as in prior Orders


in this matter, the Court required the Government to comply with the same standard of
reasonable, articulable suspicion set forth above. Primary Order, docket number BR 08-

13, at 8-9. 5 (TS//SI//NF)


On January 9, 2009, representatives from the Department of Justice's National

Security Division (NSD) attended a briefing at NSA concerning the telephony meta.data collection. 6 At the briefing, NSD and NSA representatives discussed several matters, including the alert list. See Alexander Deel. at 17, 27-28. Following the briefing and on the same day, NSD sent NSA an e-mail message asking NSA to confirm. NSD's understanding of how the alert list operated as described at the bri~fing. Following additional investigation and the collection of additional information, NSA replied on

procedures described in the application, including the minimization procedures designed to protect U.S. person information." See, e.g., Order, docket number BR 06-05, at 6 CJ[ D.
(TS//SI//NF)
In this memorandum the Government will refer to this standard as the "RAS standard" and telephone identifiers that satisfy the standard as "RAS-approved." (S)
5

TI1e names of the Deparhnent of Justice representatives who attended the briefing are included in the Alexander Declaration at page 28. The date of this meeting, January 9, 2009, was the date on which these individuals first learned (later confirmed) that the alert list compared non-RAS-approved identifiers to the incoming BR metadata. Other than these individuals (and other NSD personnel with whom these individuals discussed this matter between January 9 and January 15, 2009), and those NSA personnel otherwise identified in the Alexander Declaration, NSD has no record of anyothere:xecutive branch pers-onnel who knew - " that the elert list included non-RAS-approved identifiers prior to January 15, 2009. (TS//SI//NF)
6

TOP SECRET//COMINT//NOFORN//MR 5

1846 & 1862 PRODUCTION 5 MARCH 2009 -10-

TOP SECRET//COMINT//NOFORN//MR January 14, 2009, confirming much of NSD's understanding and providing some additional information. See id. at 27. (TS//SI//NF) Fallowing additional discussions between NSD and NSA, a preliminary notice of compliance incident was filed with the Court on January 15, 2009. See id. at 27-28. The letter reported that the alert list contained counterterrorism-associated telephone identifiers tasked for collection pursuant to NSA's signals intelligence (SIGINT) authorities under Executive Order 12333, and therefore included telephone identifiers that were not RAS-approved, as well as some that were. 7 Thereafter, as previously reported in a supplemental notice of compliance incident filed with the Court on February 3, 2009, NSA unsuccessfully attempted to complete a software fix to the alert list process so that it comported with the above requ.iiement in docket number BR 08-13.

The prelintinary notice of compliance incident filed on January 15, 2009, stated in pertinent part:
7

NSA informed the NSD that NSA places on the alert list counterterrorism associated telephone identifiers that have been tasked for collection pursuant to NSA' s signals intelligence (SIGINT) authorities under Executive Order 12333. Because the alert list consists of SIGINT-tasked telephone identifiers, it contruns telephone identifiers as to which NSA has not yet determined that a reasonable and articulable suspicion exists that they are associated wi d
As information co ecte pursuant e Court's Orders in this matter flows into an NSA database, NSA automatically compares this information with its alert list in order to identify U.S. telephone identiliers that have been in contact with a number on the alert list. Based on results of this comparison NSA then determines in what body of data contact chaining is authorized.

Jan. 15, 2009, Preliminary Notice of Compliance Iru:ideD-..:t1 docket number 08:1_3, at2. (TS//SI//NF)

TOP SECRET//COMINT//NOFORN//MR
6

1846 & 1862 PRODUCTION 5 MARCH

?nnq -11-

TOP SECRET//COMINT//NOFORN//MR
See id. at 20. NSA shut down th.e alert list process entirely on January 24, 2009, and th.e process remains shut down as of the date of this filing. 8 See id. (TS//SI//NF)

II.

NSA's Use of the Alert List Process to Query Telephony Meta.data (TS)
When the Court initially authorized the collection of telephony metadata in

docket number BR 06-05 on May 24, 2006, neither the Court's Orders nor the

Government's application (including the attachments) discussed an alert list process. Rather, a description of the alert list process fust appeared in the NSA report accompanying the renewal application in BR 06-08, filed with the Court on August 18,

The supplemental notice of compliance incident filed on Februru;y 3, 2009, stated in pertinent part:
8

On January 23, 2009, NSA provided the NSD with information regarding the steps it had taken to i:nodify the alert list process order to ensure that only "RAS-approved" telephone identifiers run against the data collected pursuant to the Court's Orders in this matter (the "BR data") would generate automated alerts to analysts. Specifically, NSA informed the NSD that as of January 16, 2009, it had modified the alert list process so that "hits" in the BR data based on nonRAS-approved signals intelligence (SIGINT) tasked telephone identifiers would be automatically deleted so that only hits fa the BR data based on RAS-approved telephone identifiers would result in an automated alert being sent to analysts. NSA also indicated that it was in the process of constructing a new alert list consisting of only RAS-approved telephone identifiers.

in

On January 24, 2009, NSA informed the NSD that it had loaded to the business record alert system a different list of telephone identifiers than intended. NSA reports that, due to uncertainty as to whether all of the telephone identifiers satisfied all the criteria in the business records order, the alert list process w~s shut down entirely on Janua1y 24, 2009. Feb. 3, 2009, Supplemental Notice of Compliance.fficident, docket number 08-13, at 1-2. (TS//SI//NF)

TOP SECRET//COMINT//NOFORN//MR
7

TOP SECRET//COMINT//NOFORN//MR 2006. 9 The reports filed with the Court incorrectly stated that the alert list did not include telephone identifiers that were not RAS-approved. fu fact, the majority of telephone identifiers on the list were not RAS-approved. See Alexander Deel. at 4, 7-8. (TS//SI//NF) A. Creation of the Alert List for BR Metadata in May 2006 (TS) Before the Court issued its Order in BR 06-05, NSA had developed an alert list process to assist NSA in prioritizing its review of the telephony metadata it received. See id. at 8. The alert list contained telephone identifiers NSA was targeting for SIGINT collection and domestic identifiers that, as a result of analytical tradecraft, were deemed relevant to the Government's counterterrorism activity. See id. at 9. The alert list process notified NSA analysts if there was a contact between either (i) a foreign telephone identifier of counterterrorism interest on the alert list and any domestic telephone identifier in the incoming telephony metadata, or (ii) any domestic telephone identifier on the alert list related to a foreign counterterrorism target and any foreign telephone tdentifier mthe incommg telephony metadata. See id. (TS//SI/fNF.) According to NSA's review of its records and discussions with relevant NSA personnel, on May 25, 2006, NSA's Signals Intelligence Directorate (SID) asked for NSA Office of General Counsel's (OGC) concurrence on draft procedures for implementing

Similarly, the applications and declarations in subsequent renewals did not discuss the alert list although the reports attached to the applj._f~tio!!_~ and reports filed separately from renewal applications discussed the process. (TS)
9

TOP SECRET//COMINT//NOFORN//MR 8

TOP SECRET//COMINT//NOFORN//MR the Court's Order in docket number BR 06-05. See id. at 12. The procedures generally described how identifiers on the alert list would be compared against incoming BR metadata and provided that a superviSor would be notified if there was a match between an identifier on the alert list and an identifier in the incoming data. See id. at
12-13 and Ex. B thereto ("BR Procedures") at 1-2. Moreover, a close reading of the BR

Procedures indicated that the alert list contained both RAS-approved and non-RASapproved telephone identifiers. 10 See Alexander Deel. at 12-13; BR Procedures at 1. NSA OGC concurred in the use of the BR Procedures, emphasizing that analysts could not access the archived.BR metadata for purposes of conducting contact chainingll .rnless the RAS standard had been satisfied. See Alexander Deel. at 1314 and Ex. A and Ex. B thereto. (TS//SI//NF)

On May 26, 2006, the chief of NSA-Washington's counterterrorism organization

in SID directed that the alert list be rebuilt to include only identifiers assigned to "bins"
or "zip codes" 11 that NSA used to ident'

For example, after ciescribing the notification a supervisor (i&., Shift Coorciinator anci, later, Homeland Mission Coordinator) would receive if a foreign telephone identifier generated an alert based on the alert list process, the BR Procedures provided that the [{Shift Coordinator will examine the foreign number and determine if that particular telephone number haey been previously associated based on the standard articulated by the Court.1' BR Procedures at 1. (TS//SI//NF)
10

TOP SECRET//COMINT//NOFORN//MR
9

TOP SECRET//COMINT//NOFORN//MR the only targets of the Court's Order in docket number BR 06-05. See Alexander Deel. at 14-15. Pursuant to this overall direction, personnel in NSA's counterterrorispi. organization actually built two lists to manage the alert process. The first list - known as the "alert list" - included all identifiers (foreign and domestic) that were of interest to counterterrorism analysts who were charged with tracking. This list was used to compare the incoming BR metadata NSA was obtaining pursuant to the Court's Order and NSA's other somces of SIGINT collection to alert

the counterterrorism organization if there was a match between a

telephone identifier on the list and an identifier in the incoming metadata. See id. at 15. The alert list consisted of two partitions-one of RAS-approved identifiers that could result in automated chainfilg in the BR metadata and a second of non-RAS approved identifiers that could not be used to initiate automated chaining in the BR metadata. See id. The second list-known as the "station table" -was a historical listing of all telephone iP.entiliers that had undergone a RAS determination, including the results of the determination. See id. at 15, 22. NSA used the "station table" to ensure that only RAS-approved "seed" identifiers were used to conduct chaining....... in the BR metadata aichlve. See id. at 15. In short, the system was designed to compare both SIGINT and BR metadata against the identifiers on the alert list but only to permit

A chart of the alert list process as it operated fro!f! May 2006 to I anuary 200_9 is attached _ - -. ~- - ~ to the Alexander Declaration as Ex. C. (S)

TOP SECRET//COMINT//NOFORN//MR 10

TOP SECRET//COMINT//NOFORN//MR alerts generated from RAS-approved telephone identifiers to be used to conduct contact chaining
f the BR metadata. As a result, the majority of telephone

identifiers compared against the :incoming BR metadata in the rebuilt alert list were not RAS-approved. See id. at 4, 7-8. For example, as of January 15, 2009, the date of NSD's first notice to the Court reganiing this issue, only 1,935 of the 17,835 identifiers on the alert list were RAS-approved. See id. at 8. (TS//SI//NF) Based upon NSA's recent review, neither NSA SID nor NSA OGC identified the inclusion of non-RAS-approved identifiers on the alert list as an issue requiring extensive analysis. See id. at 11. Moreover, NSA personnel, including the OGC attorney who reviewed the BR Procedures, appear to have viewed the alert process as merely a means of identifyll,_g a particular identifier on the alert list that might warrant further scrutiny, :including a determination of whether the RAS standard had been satisfied and therefore whether contact chaining could take place in

the BR metadata archive using that particular identifier.12 See id. at 11-12. In fact, NSA designed the alert list process to result in automated chaining of the BR metadata only if the initial alert was based on a RAS-approved telephone identifier. See id. at 14. If an

12 As discussed in the Alexander Declaration, in the context of NSA' s SIGINT activities the term "archived data" normally refers to data stored in NSA's analytical repositories and excludes the many processing steps NSA tmdertalces to ma.lee the raw collections useful to analysts. Accordingly, NSA analytically distinguished the initial alert process from the (i.e., "queries") of the subsequent process of performing contact chainin "archived data," assessing that the Court's Order in docket number BR 06-05 only: governed the _ latter. See Alexand~r Deel: at 3-4, 10-15. (TS//SI//NF) --. .. ~- - -

TOP SECRET//COMINT//NOFORN//MR 11

TOP SECRET//COMINT//NOFORN//MR alert was based on a non-RAS-approved identifier, no automated chaID.:ing would occur
in the BR metadata archive although automated chaining could occur in other NSA

archives that did not require a RAS

determination(~

non-PISA telephony collection).

See id. (TS//SI//NF)


B.

Description of the Alert List Process Beginning in August 2006 (TS)

The first description of the alert list process appeared in the NSA report accompanying the Government's renewal application filed with the Court on August 18,
2006. The report stated h1 relevant part:

(TS//SI//NF) NSA has compiled through its continuous counterterrorism analysis, a list of telephone numbers that constitute an alert list" of telephone numbers used by members of s alert list serves as a body of telephone numbers employed to query the data, as is described more fully below. (TS//SI//NF) Domestic numbers and foreign numbers are treated differently with respect to the criteria for including them on the alert list. With respect to foreign telephone numbers, NSA receives information indicating a tie to
/1

Each of the foreign telephone numbers that comes to the attention of NSA as possibly related to evaluated to determine whether the information about it provided to NSA satisfies the reasonable articulable suspicion standard. If so, the foreign telephone number is placed on the alert list; if not, it is not placed on the alert list. (TS//SI//NF) The process set out-abov:e~applies also to newly discovered domestic telephone numbers considered for addition to the TOP SECRET//COMINT//NOFORN//MR 12

TOP SECRET//COMINT//NOFORN//MR alert list, with. the additional requirement that NSA' s Office of General Counsel reviews these numbers and affirms that the telephone number is not the focus of the analysis based solely on activities that are protected by the FirstAmendment. ... (TS//SI//NF) As of the last day of the reporting period addressed herein, NSA had included a total of 3980 telephone numbers on the alert list, which in.eludes foreign numbers and domestic numbers, after concluding that each of the foreign telephone numbers satisfied the standard set forth in the Court's May 24, 2006 [Order], and each of the domestic telephone numbers was either a FISC approved number or in direct contact with a foreign seed that met those criteria. (TS//SI//NF) To summarize the alert system: every day new contacts are automatically revealed with the 3980 telephone numbers , contained on the alert list described above, which themselves are present on the alert list either because they satisfied the reasonable articulable suspicion standard, or because they are domestic numbers that were either a FISC approved number or in direct contact with a number that did so. These automated queries identify any new telephone contacts between the numbers on the alert list and any other number, except that domestic numbers do not alert on domestic-to-domestic contacts. NSA Report to the FISC (Aug. 18, 2006), docket number BR 06-05 (Ex. B to the Goverrunent's application in docket number BR 06-08), at 12-15 CAugust 2006 Report"). 13 The description above was included in similar form in all subsequent reports to the Court, including the report filed in December 2008. (TS//SI//NF)

The August 2006 report also discussed two categories of domestic telephone numbers that were added to the alert list prior to the date the Order took effect. One category consisted of telephone numbers for which the Court had authorized collection and were therefore deemed approved for metadata querying without the approval of an NSA official. The second category consisted of domestic numbers added to the alert list after direct contact with a known foreign seed number. The domestic numbers were not used as seeds themselves and contact chaining was limited to two hops (instead of the three hops authorized by the Court). See August 2006 Report, at 12-13; Alexander Deel. at 'l.n.1 ...N.SA subsequently r~moved the numbers in the second category from the alert list. (TS//SI//NF-)

15

TOP SECRET//COMINT//NOFORN//MR 13
"'tOAC
f')

-1l":ti~'F)

nnf'\l"'\llf"\Tlr'\11.I

F"

Bllt.i.Rl"\11

l"\l"\.l""t.F\.

TOP SECRET//COMINT//NOFORN//MR Accordlng to NSA's review of its records and discussions with relevant NSA personnel, the NSA OGC attorney who prepared the initial draft of the report included an inaccurate d,escription of the alert list process due to a m i s t - e r t

Upon completing the draft, the attorney circulated the draft to other OGC

attorneys and operational personnel and requested that others review it for accuracy. See id. The inaccurate description, however, was not corrected before the report was finalized and filed with the Comt on August 18, 2006. The same description rema5ned
in subsequent reports to the Court, including the report filed in docket number BR 0813.14 (TS//SI//NF)

At the meeting on January 9, 2009, NSD and NSA also identified that the reports filed with the Court have incorrectly stated the number of identifiers on the alert list. Each report included the number of telephone identiliers purportedly on the alert list. See, e.g.. NSA 120Day Report to the FISC (Dec.11, 2008), docket number BR 08-08 (Ex. B to the Government's application in docket number B.R 08-13), at 11 ("As of November 2, 2008, the last day of the reporting period herein, NSA had included a total of 27,090 telephone identifiers on the alert list ...."). In fact, NSA reports :fuat these numbers did not reflect the total number of identifiers on the alert list; they actually represented the total number of identifiers :included on the "station table" (NSA's historical record of RAS de~rrrrir}.3.tions) as currently RAS-E).pproved (!&,. approved for contact chain.in s~-e Alexander Deel. ats n.3. (TS//SI//NF) ~ 14

TOP SECRET//COMINT//NOFORN//MR

14

TOP SECRET//COMINT//NOFORN//MR DISCUSSION (U)


I.

THE COURT'S ORDERS SHOULD NOT BE RESCINDED AND NEED NOT BE MODIFIED (TS)
In the January 28 Order, the Court directed the Government to submit a written

brief designed to, among other things, assist the Court in assessing whether the Primary Order in docket number BR 08-13 should be modified or rescinded. 15 January 28 Order at 2. (S) So long as a court retains jurisdiction over a case, then, in the absence of a prohibition by statute or rule, the court.retains inherent authority to "reconsider, rescind, or modify an interlocutory order for cause seen by it to be sufficient." Melancon v. Texaco, Inc .. 659 F.3d 551, 553 (5th Cir. 1981). The choice of remedies rests
in a court's sound discretion,~ Kingsley v. United States, 968 F.2d 109, 113 (1st Cir.

1992) (citations omitted) (considering the alternative remedies for breach of a plea agreement), but in exercising that discretion a court may consider the full consequences that a particular remedy may bring about, see AJre~ae v. Chertoff, 471 F.3d 353, 360 (2d
Cir. 2006) (citations omitted) (.instructing that on remand to consider petitioner's motion

to rescind order of removal, immigration judge may consider /(totality of the circrnnstances"). Consonant with these principles, prior decisions of tlus Court reflect a shong preference for resolving incidents of non-compliance tru:ough the creation of

is The authorization granted by the Prima_zy Or_~~r issued by the C01u:t in docket number BR 08~13 expires oil March 6, 2009 at5:00 p.m. Eastern Time. (TS//SI//NF)

TOP SECRET//COMINT//NOFORN//MR

15

TOP SECRET//COMINT//NOFORN//MR additional procedures and safeguards to guide the Government in its ongoing collection efforts1 rather than by imposing the extraordinary and final remedy of rescission. See, Primary Order, docket numbe t 11-12 (requiring, in .

response to an incident of non-compliance, NSA to file with the Court. every thirty days a report discussing, among other things, queries made since the last report to the Court and NSA's application of the relevant standard); see also ocket numbers

(prohibiting the querying of data using "seed" accounts validated using particular information). CfS//SI/INF) The Court's Orders :in this matter did not authorize the alert list process as implemented to include a comparison of non-RAS-approved identifiers against incoming BR metadata. However, in light of the significant steps that the Government has already taken to remedy the alert list compliance incident and its effects1 the significant oversight modifications the Government is in the process of implementing, and the value of the telephony metadata collection to the Government's national security mission, the Government respectfully submits that the Court should not rescind or modify the authority granted in docket number BR 08-13. (TS)

TOP SECRET//COMINT//NOFORN//MR

16

TOP SECRET//COMINT//NOFORN//MR
A. Remedial Steps Already Undertaken by the Government Are Designed to Ensure Future Compliance with the Court's Orders and to Mitigate Effects of Past Non-Compliance (S)
'

Since the Goverrunent first reported this matter to the Court, NSA has taken several corrective measmes related to the alert process, including immediate steps to sequester and shut off its analysts' access to any alerts that were generated from comparing incoming BR metadata against non-RAS-approved identifiers. See Alexander Deel. at 19-20. NSA also immediately began to re-engineer the entire alert process to ensure that only RAS-approved telephone identifiers are compared against incoming BR metadata. See id. Most importantly, NBA shut off the alert list process on January 24, 2009, when its redesign efforts failed, and the process will remain shut do:wn until the Government can ensure that the process will operate withm the terms of the Court's Orders. See id. at 20. (TS//SI//NF) NSA has also conducted a review of all 275 reports NSA has disseminated since May 2006 as a result of contact chainin
f NSA' s archive of

BR metadata. 16 See id. at 36. Tiility-one of these reports resulted from the automated

alert process. See id. at 36 n.17. NSA did not identify any report that resulted from the use of a non-RAS-approved "seed" identifier.17 See id. at 36-37. Additionally, NSA

A single report may tip more than one telephone identifier as being related to the seed identifier. As a result, the 275 reports have tipped a total of 2,549 telephone identifiers since May 24, 2006. See Alexander Deel. at 36 n.17. (TS//SI//NF)
15

NSA has identified one report where the-number on the alert list was not RAS~ approved when the alert was generated butJ after receiving the alertJ a supervisor determined
17

TOP SECRET//COMINT//NOFORN//MR 17

TOP SECRET//COMINT//NOFORN//MR determined that in all instances where a U.S. identifier served as the initial seed identifier for a report (22 of the 275 reports),

the initial U.S. seed identifier was either

already the suqject of FISC-approved surveillance under the FISA or had been reviewed
by NSA' s OGC to ensure that the RAS determination was not based solely on a U.S.

person s first amendment~protected activities. See id. at 37. (TS//SI/!Nf.)


1

Unlike reports generated from the BR metadata, which NSA disseminated outside NSA, the alerts generated from a comparison of the BR metadata to the alert list wereonly distributed to NSASIGINT personnel responsible for counterterrorism activity. 18 See id. at 38. Since this compliance incident surfaced, NSAidentified and eliminated analyst access to all alerts that were generated from the comparison of nonRAS approved identifiers against the incoming BR metadata and has limited access to the BR alert system to only software developers assigned to NSA's Homeland Security Analysis Center (HSAC), and the Teclmical Director for the HSAC. See id. at 38-39.
(TS//SI//NF)

that the identifier, in fact, satisfied the RAS standard. After this determination, NSA used the identifier as a seed for chaining in the BR FISA data archive. Information was developed that led to a report to the FBI that ti.pped 11 new telephone identifiers. See Alexander Deel. at 37 n.18. (TS//SI//NF)
1s Initially, if an identifier on the alert list generated an alert that the identifier had been in contact with an identifier in the United States, the alert system masked (;Lg., concealed from the analyst's v-iew) the domestic identifier. Later, in.January 2008, the SIGINT Directorate allowed the alerts to be sent to analysts without masking the domestic identifier. NSA made this change in an effort to improve the ability of SIGJN~.:.~alysts, on the bas~ _of their target knowledge, to prioritize their work more efficiently. See Alexander Deel. at 38. (TS//SI//NF)

TOP SECRET//COMINT//NOFORN//MR 18

TOP SECRET//COMINT//NOFORN//MR In addition to the steps NSA has talcen with respect to the alert list issues, NSA has also implemented measures to review NSA's handling of the BR metadata generally. For example1 the Director of NSA has ordered end-to-end system erJ.gineering and process reviews (technical and operational) of NSA's handling of BR metadata. See id. at 21. The results of this review will be made available to the Court. See id. at 21 n.13.
In response to this Order, NSA also has undertaken the following:
e

a review of domestic identifiers on the "station table" in order to confirm that RAS determinations complied with the Court's Orders; and

. an audit of all queries made of the BR metadata repository since November 1, 2008, to determine if any of the queries during that period were made using non-RAS-approved identifiers. 19 See id. at 22-23. (TS//SI//NF) To better ensure that NSA operational personnel understand. the Court-ordered procedures and requirements for accessing the BR metadata, NSA's SIGINT Oversight & Compliance Office also initiated an effort to redesign trairi.ing for operational personnel who require access to BR metadata. This effort will include competency testing prior to access to the data. See id. at 23. In the :interim, NSAmanagement personnel, with support from NSA OGC a11d the SIGINT Oversight and Compliru1ce Office, delivered Although NSA' s review is still ongoing, NSA' s review to date has revealed no instances of improper querying of the BR metadata, aside from those previously reported to the Court in a notice of compliance incident filed on January 26, 2009, in which it was reported that between approximately December 10, 2008, and January 23, 2009, two analysts conducted 280 qu~ries using non-RAS-approved identifiers. See Alexander Deel. at 22-23. As discru;sed below, NSA is implementing software changes to the query to_Q~s used by analysts ~o. that only RASapproved identifiers may be used to query the BR FISA data repository. See id. at 22-23. (TS)
19

TOP SECRET//COMINT//NOFORN//MR

19
1 R LL Fi.
ft

1 R Fi. ?

P Q n n 11 r T 1 n r-.1

r:::

u A o f'\ u

,., n n n

_'">A _

TOP SECRET//COMINT//NOFORN//MR in-person briefings for all NSA personnel who have access to the BR metadata data archive to remind them of the requirements and their responsibilities regarding the proper handlir).g of BR metadata. See id. In addition, all NSA personnel with access to the BR metadata have also received a written reminder of their responsibilities. See id.
(TS//SI//NF)

Finally, NSA is implementing two changes to the tools used by analysts to access the BR metadata. First; NSA is changing the system that analysts use to conduct contact chaining of the BR metadata so that the system vvill not be able to accept any non-RASapproved identifier as the seed identifier for contact chaining. See id. at 24. Second, NSA is implementing software changes to its system that will limit to three the number of "hops" permitted from a RAS-approved seed identifier. See id. (TS//SI//NF)

B.

Additional Oversight Mechanisms the Government Will Implement (S)

The operation of the alert list process in a maru1er not autho~ized by the Court and contrary to the marmer in which it was described to the Court is a significant compliance matter. Whlle the process has been remedied in the ways described above; the Government has concluded that additional oversight mechanisms are appropriate to ensure future compliance with the Primary Order in docket number BR 08-13 and any future orders renewing the authority granted therein. Accordingly, the Government will implement the following oversight mecharusms in addition to those contained in the Court's Ord.ers: TOP SECRET//COMINT//NOFORN//MR 20

TOP SECRET//COMINT//NOFORN//MR

NSA's OGC will consult with NSD on all significant legal opinions that relate to the interpretation, scope and/or implementation of the author~ation granted by the Court :in its Pr:imary Order in docket number BR 08-13, prior Orders issued by the Court, or any future order renewing that authorization. "When operationally practicable, such consultation shall occur in advance; otherwise NSD will be notified as soon as practicable; NSA' s OGC will promptly provide NSD with copies of the mandatory procedmes (and all replacements, supplements or revisions thereto in effect now or adopted in the future) the Director of NSA is required to maintain to strictly control access to and use of the data acquired pursuant to orders issued by the Court in this matter; NSA's OGC will promptly provide NSD with copies of all formal briefing and/or training materials (:including all revisions thereto) currently in use or prepared and used in the future to brief/train NSA personnel concerning the authorization granted by orders issued by the Court in this matter; At least once before any future orders renewing the authorization granted in docket number BR 08-13 expire, a meeting for the purpose of assessing compliance with this Court's orders will be held with representatives from NSA's OGC, NSD, and appropriate individuals from NSA's Signals Intelligence Directorate. The results of this meeting will be reduced to writing and submitted to the Court as part of any application to renew or reinstate 'this authority; At least once during the authorization period of all future orders, NSD will meet with NSA's Office of Inspector General (OIG) to discuss their respective oversight responsibilities. and assess NSA's com_pliance with the Court's orders in this matter; Prior to implementation, all proposed automated query processes will be reviewed and approved by NSA' s OGC and NSD.

1111

1111

11

(TS//SI//NF)
While no oversight regime is perfect, the Government submits that this more. robust oversight regime will significantly reduce the likelihood of such compliance h1cidents occurring in the future. (TS)

TOP SECRET//COMINT//NOFORN//MR

21

TOP SECRET//COMINT//NOFORN//MR C. The Value of the BR Metadata to the Government's National Security Mission (TS)

The BR metadata plays a critical role in the Government's ability to find and identify members and agents o . As discussed in declarations previously filed with the Court in this matter, operatives of use the international telephone system to communicate with one another between numerous countries all over the world, including to and from the United States. Access to the accumulated pool of BR metadata is vital to NSA's counterterrorism intelligence mission because it enables NSA to discover the communications of these terrorist operatives. See Alexander Deel. at 39-

42. While terrorist operatives often take intentional steps to disguise and obscure theif
communications and their identities using a variety of tactics, by employing its contact chaining against the accumulated pool of metadata NSA can

discover valuable information about the adversary. See id. Specifically, using contact chaining NSA may be able to discover previously unknown

telephone identifiers used by a known terrorist operative, to discover previously unknown terrorist operatives, to identify hubs or common contacts between targets of interest who were previously thought to be uncmmected, and potentially to discover individuals willing to become U.S. Government assets. See, e.g., Deel. of Lt. Gen. Keith

B. Alexander, docket number BR 06-05, Ex. A at 19;-Decl. o


TOP SECRET//COMINT//NOFORN//MR 22

ocket

TOP SECRET//COMINT//NOFORN//MR number BR 08-13, Ex. A at ciI19-11. 20 Such discoveries are not possible when targeting solely knovm. terrorist telephone identifiers. See Alexander Deel. at 39-40. Demonstrating the value of the BR metadata to the U.S. Intelligence Community, the NSAhas disseminated 275 reports and tipped over 2r500 telephone identifiers to the FBI and CIA for further investigative action since the inception of this collection in docket number BR 06-05. See id. at 42. This reporting has provided the FBI with leads and linkages on individuals in the U.S. with connections to terrorism that it may have otherwise not identified. See id. (TS//SI//NF)
In summary, the unquestionable foreign intelligence value of this collection, the

substantial steps NSAhas already taken to ensure the BR metadata is only accessed in compliance with the Court's Orders, and the Government's enhanced oversight regime provide the Court with a substantial basis not to rescind or modify the authorization for this collection program. (TS) III. THE COURT NEED NOT TAKE ADDITIONAL ACTION REGARDING MISREPRESENTATIONS THROUGH ITS CONTEMPT POWERS OR BY REFERRAL TO APPROPRIATE INVESTIGATIVE OFFICES (TS) The January 28 Order asks "whether the Court should talce action regarding persons responsible for any misrepresentation to the Court or violation of its Orders/'

. See Alexander Deel. at 41; De~. ~o.~cet number BR OB:, ~ _ 13, Ex. A at 110. (TS//SI//NF)

TOP SECRET//COMINT//NOFORN//MR 23

1846 & 1862 PRODUCTION 5 MARCH 2009 -2R-

TOP SECRET//COMINT//NOFORN//MR either through its contempt powers or by referral to the appropriate investigative offices." January 28 Order at 2. The Government respectfully submits that such act~ons are not require~. Contempt is not an appropriate remedy on these facts, and no referral is reqmred, because NSA already has self-reported this matter to the proper investigative offices. (TS//SI//NF) .VVhether contempt is civil or criminal in nature turns on the "character and purpose" of the sanction involved. See Int'l Union, United Mine Workers of Am. v. Bagwell, 512 U.S. 821, 827 (1994) (quoting Gompers v. Bucks Stove & Range Co., 221 U.S. 418, 441 (1911)). Criminal contempt is punitive in nature and is designed to vindicate the authority of the court. See Bagwell. 512 U.S. at 828 (internal quotations and citations omitted). It is imposed retrospectively for a "completed act of disobedience," and has no coercive effect because the contemnor cannot avoid or mitigate the sanction through later compliru1ce. Id. at 828-29 (citations omitted). 21 Because NSA has stopped the alert list process and corrected the Agency's unintentional misstatements to the Court, any possible contempt sanction here would be in the nature of criminal contempt. (TS//SI/!NF)

By contrast, civil contempt is "remedial, and for the benefit of the complainant." Gompers. 221 U.S. at 441. It "is ordinarily used to compel compliance with an order of the court," Cobell v. Norton, 334 F.3d 1128, 1145 (D.C. Cir. 2003), and may also be designed "to compensate the complainant for losses sustained." United States v. United Mine Workers of . America, 330 U.S. 258, 303-04 (1947) (citations omitted). -(U)
21

TOP SECRET//COMINT//NOFORN//MR 24
1 R4F\ Jt 1 RR? PRnn11r.T I ()t-,1
!::;
MAR~!-!

?nna - ? 0 -

TOP SECRET//COMINT//NOFORN//MR A finding of criminal contempt "requires both a contemptuous act and a wrongful state of mind." Cobell, 334 F.3d at 1147 (citations omitted). The violation of

the order must. be willful: u a volitional act by one who knows or should reasonably be
aware th.at his conduct is wrongful." United States v. Greyhound Corp .. 508 F.2d 529, 531-32 (7th Cir. 1974), quoted in In re
Ho~loway,

995 F.Zd 1080, 1082 (D.C. Cir. 1993)

(emphasis in original). For example, a criminal contempt conviction under 18 U.S.C. 401 requires, among other things, proof of a willful violation of a court order; i.e., where the defendant //acts with deliberate or reckless disregard of the obligations created by a court order." United States v. Rapone, 131F.3d188, 195 (D.C. Cir. 1997) (citations omitted). 22 (U) Here, there are no facts to support the necessary finding that persons at NSA willfully violated the Court's Orders or intentionally sought to deceive the Court. To the contrary, NSA operational personnel implemented the alert list based on the concurrence of its OGC to a set of procedures that contemplated comparing the alert list, including non-RAS-approved telephone identifiers, against a flaw of new BR metadata. See Alexander Deel. at 12-14. The concurrence of NSA's OGC was based on NSA's understanding that, by using the term "archived data," the Court's Order in

22

A person charged with contempt committed out of court is entitled to the usual

protections of criminal law, such as the presumption of innocence and the right to a jury trial. Bagwell, 512 U.S. at 827-28. For criminal contempt to apply, a willful violation of an order must be proved beyond a reasonable doubt. See id. ContemFt occurring in the presenc~ of the Court, however, is not subject to all such protections. See id. ~tS27 n.2. (U) --

- -

TOP SECRET//COMINT//NOFORN//MR 25

TOP SECRET//COMINT//NOFORN//MR docket number BR 06-05 only required the RAS standard to be applied to the contact chainin
~

. conducted by accessing NSA's analytic repository of BR

metadata. See id. at 10-14. This advice was given for the purpose of advising NSA operators on how to comply with the Court's Orders when using an alert list. Its goal pla:iJ.uy was not to deliberately or recklessly disregard those Orders; and in heeding this advice, NSA operators were not themselves seeking to deliberately or recklessly disregard the Court's Orders. Indeed, the NSA attorney who reviewed the procedures added language to the procedures to emphasize the Court's requirement that the RAS standard must be satisfied prior to conducting any chainin analytic repository of BR metadata. See id. at 13-14. (TS//SI//NF) NSA OGC's concurrence on the procedures the SIGINT Directorate ~eveloped for processing BR metadata also established the framework for numerous subsequent decisions and actions, :including the drafting and reviewing of NSA's reports to the Court. NSA pers01mel reasonably believed, based on NSA OGC's concurrence with the BR Procedures, that the queries subject to the Court's Order were only contact chaining of the aggregated pool of BR metadata. Against this backdrop, NSA operational personnel reasonably believed that, until contact chaining of the aggregated pool of BR metadata was conducted, the alert list process was not subject to the RAS requirement contained in the Court's Order. This, in turn, led to the misunderstanding between the NSA attorney \f\'.ho 2!epared the initial_ draft_ of NSA's TOP SECRET//COMINT//NOFORN//MR of NSA's

26

TOP SECRET//COMINT//NOFORN//MR fust BR report to the Comt and the individual in the SIGINT Directorate who served as the report's primary reviewer, so that ultimately the report contained an incorrect description of ~e alert list process. See id. at 16-18.23 In other words, there was no deliberate effort to provide inaccurate or misleading information to the Court, nor did any NSA employee deliberately circumvent the RAS requirement contained in the Court's Orders. Based on this confluence of events, all parties involved in the drafting of the report believed the description of the alert list to be accurate. (TS//SI//NF)
In addition, the Government has already taken steps to notify the appropriate

investigative officials regarding this matter. Specifically, FBI's OGC was informed of this matter on January 23, 2009; the Director of National Intelligence was informed of this matter on January 30, 2009, and received additional information about the incident on two other occasions; and the Undersecretary of Defense for Intelligence was informed of this matter on February 10, 2009. See id. at 28-29. NSAhas also ;notified its Inspector General of this matter. See id. at 28. Finally, NSA is in the process of formally reportiJ.1g tliis matter to the Assistant Secretary of Defense for Intelligence Oversight and subsequently the President's Intelligence Oversight Board. See id. at 28-29. (S)

As described above, the alert list actually consisted of two partitions -one of RASapproved identifiers that could result in automated chaining in the BR meta data and a second of non-RAS approved identifiers that could not be--t1.sed.t..o initiate automated chaining in the BR. metadata. See Alexander Deel. at 15. (TS//SI//NF)

23

_ __

TOP SECRET//COMINT//NOFORN//MR
27

TOP SECRET//COMINT//NOFORN//MR CONCLUSION (U) For the reasons provided above, while the Government acknowledges that its descriptions of, the alert list process to the Court were inaccurate and that the Court's Orders in this matter did not authorize the alert list process as implemented, the Court should not rescind or modify its Order in docket number BR 08-13 or take any further remedial action. (TS//SI//NF)

Respectfully submitted,

Matthew G. Olsen Acting Assistant Attorney General

Office of Intelligence National Security Division United States Department of Justice

TOP SECRET//COMINT//NOFORN//MR 28

1846 & 1862 PRODUCTION 5 MARCH 2009 -34-

TOP SECRET//COMINT//NOFORN/!MR UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT

WASIDNGTON, D.C.

) ) ) )

Docket No.: BR 08-13

DECLARATION OF LIEUTENANT GENERAL KEITH B. ALEXANDER, UNITED STATES ARMY, DIRECTOR OF THE NATIONAL SECURITY AGENCY

(U) I, Lieutenant General Keith B. Alexander, depose and state as follows:


(U) I am the Director of the National Security Agency ("NSA" or "Agency"), an

intelligence agency within the Department of Defense ("DoD"), and have served in this

'

position since 2005. I currently hold the rank of Lieutenant General in the United States

Army and, concurrent with my current assignment as Director of the National Security Agency, I also serve as the Chief of the Central Security Service and as the Commander of the Joint Functional Component Command for Network Warfare. Prior to my current assignment, I have held other senior supervisory positions as an officer of the United
I

States military, to include service as the Deputy Chief of Staff (DCS, G-2), Headquarters,

Department of the Army; Commander of the US Anny's Intelligence and Security Command; and the Director of Intelligence, United States Central Command.

. TOP SECRET//COMlNTt!.NOFORN//MR

TOP SECRET//COMJNT//NOFORN//MR (S) As the Director of the National Security Agency, I am responsible for directing and overseeing all aspects ofNSA 1 s cryptologic mission, which consists of
three functions: to engage in signals intelligence ("SIGINT") activities for the US

Government, to include support to the Government:s computer network attack activities; to conduct activities concerning the security of US national security telecommunications and information systems; and to conduct operations security training for the US Govemment. Some of the information NSA acquires as part of its SIGINT mission is
collecte~

pursuant to Orders issued undi;::r the Foreign Intelligence Surveillance Act of

1978, as amended ("FISA"). (U) The statements.herein are bas~d upon my personal knowledge, information

provided to me by my subordinates in the coilrse of my official duties, advice of counsel, and conclusions reached in accordance therewith.

I. (U) Purpose:
(S//SI//NF) Tbis declaration responds to the Court's Order of28 January 2009

("BR Compliance Order"), which directed the Government to provide the Foreign

Intelligence Surv-eillance Court ("'FISC" or "'Court") with information "to help the Court
assess whether the Orders issued in thls docket should be modi4ed or rescinded; whether

other remedial steps should be directed; and whether the Cou.rtshould take action regarding persons responsible for any misrepresentations to the Court or violations of its Orders, either through its contempt powers or by referral to appropriate investigative offices."

'l'OP SECRET//COMINT//NOFORN//MR
-2-

TOP SECRET//COJv.!INT//NOFORN//MR
(S/INF) To this end, this declaration, describes the compliance matter that gave rise to the BR Compliance Order; NSA's analysis of the underlying activity; the root causes of the compliance problem; the corrective actions NSA has taken and plans to take

to avoid a reoccurrence of the incident; answers to the seven (7) specific questions the
Court has asked regarding the incident; and a description of the importance of tbis
collection to the national security of the United States.

II. (U) Incident:


A.: (U) Summary

(TS//SIJ/NF) Pursuant to a series of Orders issued by the Court since May 2006, NSA has been receiving telephony metadata from telecommunications providers. NSA refers to the Orders collectively as the "Business Records Order" or "BR FISA." With each iteration of the Business Records Order, the Court has included language which says

"~ccess to the archived data shall occur only when NSA has identified a known
telephone identifier for which .. . there are facts giving rise to a reasonable articulable suspicion that the telephone identifier is associated with

Seei e.g.,
Docket BR 08-13, Primary Order, 12 December 2008, emphasis added. For reasons described in more detail in the Section III.A. of this declaratiQn, NSA personnel understood the term "archived data" to refer to NSA's analytic repository of BR PISA metadata and implemented the Business Records Order accordingly.

TOP SECRET//COMINT//NOFORN//MR

TOP SECRET//COMJNT//NOFORN//MR (TS//SV/NF) "While NSA did not authorize contact chainin occur"in the Agency's analytic repository of BR FISA material unless NSA had determined that the "seed'' telephone identifier for the chaining satisfied.the reasonable articulable suspicion C'RAS") standard specified in the Order, in its reports to the Court regarding NSA's implementation of the Business Records Order, the Agency incolTectly described an intermediate step called the alert process that NSA applied to the incoming stream of BR PISA metadata. The alert process would notify
'

to

counterterrorism (CT) analysts if a comparison of the incoming metadata NSA was receiving from the Business Records Order and other sources of SIGINT collection revealed a match with telephone identifiers that were on an alert list of identifiers that were already of interest to CT personnel. (TS//SV/NF) In its reports to the Court, NSA stated the alert list only contained telephone identifiers that satisfied the RAS standard. In reality, the majority ofidentifiers on the alert list were CT identifiers that had not been assessed for RAS. If one of these non-RAS approved identifiers generated an alert, a CT analyst was notified so that NSA could make a RAS determination. If the Agency determined the identifier satisfied the RAS standard, only then would the identifier be approved as a seed for contact chaining

in the Agency's BR PISA analytic repository (i.e., the "archived


data"), If the contact chaining roduced information of foreign

intelligence value, an NSA analyst would issue a report. In other words, none ofNSA' s BR FISA reports were based on non-RAS approved identifiers across the period in question -May 2006 through January 2009.

TOP SECRET//COMINT/!NOFORN//.MR
- 41 R4fi R. 1 Rfi? PRnn11r.T I ON h MARr.1-1 ?nn!=\ -:.\R-

TOP SECRET//COMINT//NOFORN//MR
(S//SI) I wish to emphasize that neither I nor the Agency is attempting to downplay the significance ofNSA's erroneous description oftlie alert process to the Court. In retrospect, the Business Records Order did not provide NSA with specific authority to employ the alert list in the manner in which it did. The Agency'~ failure to describe the alert process accurately to the Court unintentionally precluded the Court
from determining for itself whether NSA was correctly implementing the Court's Orders.

Although I do not believe that any NSA employee intended to provide inaccurate or misleading information to the Court, I fully appreciate the severity of this error.

B. (U) Details

(TS//SI//NF) Docket BR 08-13 is the FISC's most recent renewal of authoi:ity first granted to the Government in May 2006 to receive access to business records in the form of telephone call detail records. See Docket BR 06-05, 24 May 2006. NSA developed
the automated alert process to notify NSA analysts of contact between a foreign

telephone identifier of counterterrorism interest and any domestic telephone identifier; or

any contact between a domestic telephone identifier, related to a ~oreign counterterrorism


target, and any foreign telephone identifier. In its first BR PISA report to the Court in August 2006, the Agency described the automated alert process as follows:

(TS//SI//NF) NSA has compiled through its continuous counterterrorism analysis, a list of telephone numbers that constitute an "alert list" oftele hone numbers used b members of This alert list serves as a body of te ephone num ers employed to query the data, as is described more fully below. (TS//SI//NF) Domestic numbers and foreign numbers are treated differently 'With respect to the criteria for.inciu@ng them on the alert list.
TOP SECRET//COMINT//NOFORN//MR -51 R LI. ,:::

fl.

1 SH~ ?

D l:HH'\ 11 (' T I ('\I'd

l\A LU::> r l-1

'> n n a

a-

TOP SECRET//COMINT//NOFORN//MR

Each of the foreign te e ho e as ossibly related to is evaluated to determine whether the information about it provided to NSA satisfies the reasonable articulable suspicion standard. If so, the foreign telephone number is placed on the alert list; if not, it is not placed on the alert list. (TS//81'/NF) The process set out above applies also to newly discovered domestic telephone numbers consider~d for addition to the alert list, with the additional requirement that NSA's Office of General Counsel reviews these numbers and affums that the telephone number is not the focus of the analysis based solely on activities that are protected by the First Amendment. There are, however, two categories of domestic tele hone numbers that were added to the NSA alert list and the basis for their addition is slightly different. (TS//S1'/NF) The frrst category consists.oflldomestic numbers that are currently the subject of FISC authorized electronic surveillance based on the FISC's findin<T of robable cause to believe that the are used by agents of Since these numbers were already reviewed and au orized by the Court for electronic surveillance purposes, they were deemed approved for meta data querying without the approval of an NSA official. (TS//81'/NF) The second category consists of .omestic numbers each of which was added to the NSA alert list aft r omin to NSA's ttenti

TOP SECRET//COMINT//NOFORN//MR
-6-

1846 & 1862 PRODUCTION 5 MARCH 2009 -40-

TOP SECRET//COMJNT//NOFORN//MR (TS//SI//NF) However, in order to avoid any appearance of circumventing the procedures, NSA will change its software to build the domestic chains from the original foreign number and remove the numbers described above from the alert list. While the software is being developed, which will take approximately 45 days, NSA will continue to run the domestic numbers on the alert list as described. [l] (TS//SI//NF) As of the last day of the reporting period addressed herein, NSA had included a total of 3980 telephone numbers on the alert list, which includes foreign numbers and domestic numbers, after concluding that each of the foreign telephone numbers satisfied the standard set forth in the Court's May 24, 2006, and each of the domestic telephone munbers was either a FISC approved number or in direct contact with a foreign seed that met those criteria. (TS//SI//NF) To summarize the alert system: every day new contacts are automatically revealed with the 3980 telephone numbers contained on the alert list described above, which themselves are present on the alert list either because they satisfied the reasonable articulable suspicion st:;ndard, or because they are domestic numbers that were either a FISC approved number or in direct contact with a number that did so. These automated queries identify any new telephone contacts between the numbers on the alert list and any other number, except that domestic number~ do not alert on domestic-to-domestic contacts. . (TS//SI//NF) During this reporting period, a combination of the alert system and queries resulting from leads described below in paragraph two led to analysis that resulted in the discovery of 13 8 new numbers that were tipped as leads to the FBI and the CIA as suspicious telephone numbers.

See Docket BR 06-05, NSA Report to the FISC, August 18, 2006, at 12-16 (footnote
omitted). Subsequent NSA reports to the Court contained similar representations as to the functioning of the alert list process. See, e.g., Docket BR 08-08, NSA 120-Day Report to the FISC, December 11, 2008, at 8-12.

(TS//SI/!NF) In short, the reports filed with the Court incorrectly stated that the . telephone identifiers on the alert list satisfied the RAS standard. In fact, the majority of telephone identifiers included on the alert list had not been RAS approved, although the

TOP SECRET//COMINT//NOFORN//1\1R

- 7 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -41-

TOP SECRET!!COMINTllNOFORN!tMR identifiers were associated with the same class of terrorism targets covered by the Business Records Order. 2 Specifically, of the 17 ,83 5 telephone identifiers that were on the alert list on 15 January 2009 (the day DoJ reported this compliance incident to the Court), only 1,935 were RAS approved. 3
Ill. (U) NSA's Analysis:

(TS//SI/INF)
(The term "metadata" refers to information about

a commWlication, such as routing infowation, date/time of the communication, etc., but


does not encompass the actual contents of a communication.) As explained in greater

detail in Section VU-of this declaration~ analysis of communications metadata can yield
important foreign intelligence infowation,

(TS//Sl//NF) The reports filed with the Court in this matter also incorrectly stated the number of identifiers on the alert list, Each report included the number of telephone identifiers purportedly on the alert list. See, e.g., Docket BR 06-08, NSA 120-Day Report to the FISC, August I B, 2006, at 15 ("As of tbe last day of the reporting period addressed herem, NSA has included a total of 3980 telephone numbers on the alert list, . , .");Docket BR 08-13, NSA 120-Day Report to the FISC, December 11, 2008, at 11 (''As of November 2, 2008, the last day of the reporting period herein, NSA had included a total of27,090 telephone identifiers on the alert list , .."). In fact, these numbers reported to the Court did not reflect the number of identifiers on the alert list; they actually.represented the total number of identifiers included on the "station table" (discu.ssed below atpage15) as "RAS approve.ti;' i.e., approved for contact chaining.

TOP SECRET//COMJNT//NOFORN//MR
-8-

TOP SECRBTllCOMINTllNOFORNllMR (TS/ISVINF) , NSAput on

the alert list telephone identifiers from two different source~ that were of interest to counterterrorism personnel. The first source consisted of telephony identifiers against which the Agency was conducting SIGINT collection for counterterrorism reasons and the second source consisted of domestic telephony identifiers which, as a result of analytic tradecraft, were also.deemed relevant to the Government's counterterrorism

activity. The key goal ohhis alert process was to notify NSA analysts if there was a
contact between a foreign telephone identifier of counterterrorism interest and any domestic telephone identifier; or contact between any domestic telep)lone identifier, ' related to a foreign counterterrorism target, and any foreign telephone identifier. At the time, NSA considered fuis type of contact to be an important potential piece of foreign intelligence since such contact could be indicative of an impending terrorist attack agaillst the US homeland. 4

A. (TS) The Alert List Process

...
4

(TS//SI//NF) When the Court issued the first Business Records Order in May

------~

:.l

I. -

Database" which was a master target database of foreign and domestic telephone . identifiers that were of cunent foreign intelligence interest to counterterrorism personnel.
(TS//SI//NF) Neither the Agency nor the rest of the US Intelligence Community has changed this view regarding the importance of identifying this type of contact between counterterrorism targets and persons inside the United States. In fact, the 9/1 I Commission Report alluded to the failure to share information regarding a facility associated with an al Qaeda safehouse in Yemen and contact with one of the 9/11 hijackers (al Milidhar) in San Diego, California, as an important reason the Intelligence Community did not
detect al Qaeda's planning for the 9/11 attack. See, "Tiie 2Ll.I Ccnnmission Report,"
at26~-272.

TOP SECRET//COMINT//NOFORN//MR
-9-

TOP SECRET//COMINT//NOFORN//MR The second source w a s - which was and continues to be a database NSA uses as
a selection management system to manage and task identifiers for SIGINT collection.

(TS//SI//NF) The Business Records Order states that "access to the archived data shall occur only when NSA has identified a known telephone identifier for which ... there are facts giving rise to a reasonable articulable suspicion that the telephone identifier is associated wi Docket BR 08-13,
Primary Order, 12 December 2008. The' term "archived data'' is of critical importance to

understanding the rebuilt alert process NSA implemented after the Court issued the first
Business Records Order in May 2006.

(TS//SL'/NF) As normally used by NSA in the context of the Agency's SIGJNT


activities, the tem1 "archived data'' refers to data stored in NSA' s analytical repositories and excludes the many processing steps the Agency employs to make the raw collection useful to individual intelligence analysts. 5 Based on internal NSA correspondence and from discussions with NSA personnel familiar with the way NSA processes SIGINT collection, I have concluded this understanding

or the term "archived data" meant that the

NSA personnel who designed the BR FISA alert list process believed that the requirement to SEI;tisfy the RAS standard was only triggered when access was sought to
NSA's stored (i.e., "archived" in NSA parlance) repository ofBRFISA data.
5 (TSl/SVINF) For example, a small team of "data integrity analysts" ensures that the initial material NSA receives as a result of the Business Records Order is properly fonnatted and does not contain extraneous material that the Agency does not need or want before such material is made available to intelligence analysts.

TOP SECRET//COMINT//NOFORN//MR
- 10
R

1846 ! 1862 PRODUCTION 5 MARCH 2009 -44-

TOP SECRET//COMINT//NOFORN//JV!R
(TS//SI//NF) In fact, when the initial draft procedures for implementing the Business Records Order were created, it does not appear that either the SIGINT Directorate or the Office of General Counsel identified the use of non-RAS approved identifiers on the alert list as an issue that required in-depth analysis. NSA pers6m1el, including the NSA attorney who reviewed the SIGINT Directorate's implementation procedures for the Business Records Order, appear to have viewed the alert system as merely pointing to a particular identifier on the alert list that required detennination of

whether the RAS standard had been satisfied before permitting contact chaining andlor pattern analysis in the archived BR FISA data. Accordingly, the Office of General
Counsel approved the procedures but stressed that the RAS standard set out in the Business Records Order had to be satisfied before any access to the archived data could occur. 6

(TSllSVINF) As a result, personnel in the SIGINT Directorate who understood

how the automated alert process worked, based on their own understanding of the term "archived data" and the advice ofNSA's Office of General Counsel, did not believe that NSA was required to limit the BR FISA alert list to only RAS approved telephone identifiers,

(TS//SI//NF) This result is not surprising since, regardless of whether the identifiers on the alert list were RAS approved, NSA was lawfully authorized to collect the conversatio.qs and metadata associated with the non-RAS approved identifiers tasked for NSA SIGINT collection activities under Executive Order 12333 and included on the alert list. The alert process was intended as a way anal sts to rioritize their work. The alerts did not provide analysts with permissio o on uct cont ct chainin fthe BR FISA metadata. Instead, any contact chaining of the BR FIS data also required a determination that the seed number for such chaining had satisfied the)tAS standard.

for

TOP SECRET//COMINT//NOFORN//MR
~

11 J!.

1 Q Li k

1 Q

~ ")

c ('\ f'i 11 (\ T

I ('\II.I . r:::.

~A

A 0,... u

') n n Cl

- JI

c:: -

TOP SECRET//COMINT//NOFORN//MR
Rather, they believed the limitation in the Court's order applied only where data

had been aggregated over time, and where the authority and ability existed to conduct multi-hop analysis across the entire data archive. (See Section VII for a description of the benefits of aggregating data for later analysis.)

(TS//SI//NF) NSA's review of this matter has confirmed that, even prior to the
issuance of the Business Records Order, members of the SIGINT Directorate engaged in discussions with representatives ofNSA' s Office of General Counsel to determine how the Agency would process the telephony metadata NSA expected to receive pursuant to

the Court's Order. Then, on 25 May 2006 immediately after issuance of the frrst
Business Records Order, representatives ofNSA's Signals Intelligence Directorate asked NSA's Office of General Counsel to concur on a draft set of procedures the SIGJNT Directorate had developed to implement the Business Records Order. These draft procedures stated:

The~LERT processing system will provide a selective notification to the NSA CT AAD Shift Coordinator that a FISA Business Record transaction has been received. This notification will contain only the foreign telephone number and collection bin category. This notification will only occur when the foreign number in the transaction matches the foreign telephone number residing in that collection bin. This notification will include no domestic numbers and occurs prior to any chaining whatsoever.

There was no express statement that the alert list contained both RAS and non-RAS approved identifiers but it was clear that identifiers in the alert system would be

TOP SECRET//COMWT//NOFORN//MR

- 12 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -46-

TOP SECRET//COMINT//NOFORN//MR compared against incoming BR PISA data. It was also cleax that, if there was a match between an identifier on the alert list and an identifier in the incoming data, a Shlft Coordinator in the SIGINT Directorate's counterterrorism office would be notified. (TS//SI//NF) Later on 25 May 2006, of the Office of
8

General Counsel concurred on the use of the draft procedures after adding language to the procedures emphasizing that analysts could not access the archived BR FISA data in

NSA's BR FISA data repository unless the RAS standard had been satisfied.
coordinated her review of the procedures with one of her colleagues in the Office of General Counsel procedures stated in pertinent part: The CT AAD Shift Coordinator will examine the foreign number and determine if ' s been previously associated w i t h ased on the standard articulated by the Court. Specifically, as initially drafted, the

evised this bullet to read: The CT AAD Shift Coordinator will examine the foreign number and determine if

t1 t arf 1 t l h

b has been previously associated with - 11 ased on the standard articulated by~

Reasonable articulable suspicion must be based on a totality of the circumstances and can be met by any number of factual scenarios. However, if a seed number is of interest only because of its direct contact with one other number, that other number must be known b some 'denti:fi.able standard (probably or possibly) to be used by If you are unsure of whether the standard is met, please contact OGC.

(TS//Sl//NF) Since preparation of the original procedures, the Agency now refers to each "Shift Coordinator" as a."Homeland Mission Coordinator'' or "HMC."

TOP SECRET//COMINT//NOFORN//MR

-13 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -47-

TOP SECRET//CO:rv.nN"TI!NO FORNI/MR lso added a footnote to the procedures to read, "As articulated in the FISC Order, 'access to the archived data will occur only when the NSA has identified a lmown telephone number for which, based on the practical considerations of everyday life on which reasonable and prudent persons act; there are facts giving rise to a reasonable, articulable suspicion that the telephone number is associated with Section SA." (TS//SV/NF) The SIGINT Directorate began using the process described in the procedures not long after receiving OGC' s approval. A copy of the procedures approved
'

byNSA 1 s Office of General Counsel and the approval ofNSA's Office of General
Counsel are attached as Exhibits A and B, respectively. (TS//SVINF) As a result, the Agency ultimately designed the alert process to result in automated call chaining of the BR PISA data repository if the initial alert was based on a RAS approved identifier. If an alert was based on a non-RAS approved identifier, no automated chaining would occur in the BR FISA material but automated

chaining could occur in NSA' s repositories of information that had been acquired under
circumstances where the RAS requireJ:!1ent did not apply~ such as telephony collection that was not regulated by the PISA. (TS//SV/NF) Specifically, on 26 May 2006, ho was

serving as the chief ofNSA-Washington's counterterrorism organization in NSA's Signals Intelligence Directorate, directed that the alert list be rebuilt to ensure that the

TOP SECRET//COMJNT//NOFORN/IMR

- 14 -

TOP SECRET//COMINT//NOFORN//MR alert list would only incll~de identifiers assigned to "bins" or "zip codes" that NSA used
9

to label an identifier as being associated with

since these

were the only classes of targets covered by the initial Business Records Order. Pursuant to this overall direction, personnel in the counterterrorism organization actually built two lists to manage the alert process. The first list - known as the alert list - included all identifiers that were of interest to counterterrorism analysts whq were charged with tracking to include both foreign and domestic telephony

identifiers. This list was used to compare the incoming telephony metadata NSA was obtaining from the Business Records Order and NSA' s other sources of SIGJNT collection to alert the counterterrorism organization if there was a match between a telephone identifier on the list and an identifier in the incoming metadata. 'fhis list had two partitions. The first partition consisted of RAS approved identifiers vyhlch could result in automated chaining of the BR FISA data repository. The second partition consisted of non-RAS approyed identifiers which cciuld not be used to initiate automated

chaining of the archived BR FISA material. The second list-known as the "station
table" - served as a historical listing of all telephone identifiers that have undergone a

RAS detennination, to include the results of the determination. This list was used to
ensure that only RAS approved "'seed" identifiers would be used to conduct chaining or pattern analysis ofNSA' s data repository for BR FISA material. For the Court's

TOP SECRET//CO:MINT//NOFORN//MR
- 15 -

1846 & 1862 .PRODUCTION 5 MARCH 2009 -49-

TOP SECRET//COMINT//NOFORN//MR
convenience, a pictorial description of the BR FISA alert process as the process operated from May 2006 until January 2009 is attached as Exhibit C.

B. (TS) Incorrect Description of Alert List in Reports to the FISC

(TS//SI//NF) Reviews ofNSA records and discussions with relevant NSA persoll1el have revealed tha managing attorney in NSA's Office

of General Counsel, prepared the initial draft of the first BR PISA report. appears to have included the inaccurate desc~iption of the BR PISA alert process due to a mistaken belief that the alert process for the Business Records Order

(TS//SI//NF) After completing his initial draft of the BR PISA report, in an email prepared on Saturday, 12 August 2006

ote:

Attached is the Draft of the Report to the Court. This is NOT ready to go until it is reviewed again ... I have done my best to be complete and thorough, but ... malce sure everything I have siad (sic) is absolutely true.

TOP.SECRET//COMINT//NOFORJ:'I//MR
- 16 -

1846

1862 PRODUCTION h MARr.H

?nn~

-hn-

TOPSEC:RETVCOMINT//NOFORN~MR

See Exbibit D. Despite the direction that the draft BR FISA report be thoroughly

reviewed by other attorneys ap.d NSA operational personnel for accuracy, the inaccurate description of the alert list that was contained in the initial draft of the report was not corrected before the report was finalized. In addition. the inaccurate description was not . ?orrected in subsequent reports to the Court, either, until the inaccurate description was identified by representatives from the Department of Justice ("DoJ") during a briefing and roundtable discussion regarding NSA's handling of BR PISA material on 9 January
2009. Once DoJ confii.med that the Agency's actual alert list process in the BR FISA

was inconsistent with the past descriptions NSA had provided to the Court of the alert list
process, DoJ filed a notice on 15 January 2009 identifying this problem to the Court.

(TS//SI/INF) As alluded to above, the inaccurate description of the BR FISA alert list initially appears to have occurred due to a mistaken belief that the alert list for the BR FISA material

L_ TI1is error was compounded by the fact that, as noted previously, the SIGINT
DirectoratE'. had actually construCted the alert list with two partitions. Moreover, given that the Office of General Counsel prepared the initial draft of the report and had previously approved the procedures the SIGINT Directorate drafted for processing the BR FISA material,
s the primary reviewer of the draft report for

the SIGINT Directorate, thought the Office of General Counsel's description of the

automated alert process for BR FISA material, although omitting a discussion of one of the partitions, was legally correct since no contact chaining was

-- I
TOP SECRBT//COMThlT//NOFORN//MR
- 17 1 R LI. i:\

I
&;.
~n

R.

1 R I; ?

p R ('\ ri 11 ("' T I ('\II.I

A c ('\ u

,, n n Q

c: 1

TOP SECRET//C01\.1:rn"T//NOFORN//MR authorized to take place against the BR PISA archive unless the seed identifier for the
chaining

had undergone RAS approval.

(S//SI) Therefore, it appears there was never a complete understanding among the

key personnel who reviewed the report for

the ~IGINT Directorate and the Office of

General Counsel regarding what each individual meant by the tem1inology used in the report. Once this initial misun9-ersta.nding occurred, the alert list description was never corrected since neither the SIGINT Directorate nor the Office of General Counsel realized there was a misunderstanding. As a result, NSA never revisited the description of the alert list that was included in the original report to the Court. Thus, the inaccurate description was also included in the subsequent reports to the Court. (TS//SI//NF) The initial Business Records Order was the subject of signiiicant attention from NSA's Signals Intelligence D:irectorate, Office of General Counsel, and Office of Inspector General in an effort to ensure the Agency implemented the Order correctly. See, e.g., NSA Office of Inspector General Report, "'Assessment of Management Controls for Implementing the FISC Order: Telephony Business Records,"
dated 5 September 2006 (attached as Exhibit E). 11 Nevertheless, it appears clear in

hindsight from discussions with the relevant personnel as well as reviews ofNSA's internal records that the focus was ahnost always on whether analysts were contact
chaining the Agencis repository of BR PISA data in compliance with the RAS standard

(TS//SV/NF) Note that some of the Exhibits included with this declaration, such as Exhibit E, contain the NSA has de-compartmented these materials solely for control marking the Court's consideration of the BR FISA compliance incident that DoJ reported to the Court on 15 January 2009. --

11

r-

TOP SECRET//CO:MmT//NOFORN/fMR
- 18 -

1846 & 1862 PRODUCTION 5

MAR~H

200R

-~2-

TOP SECRET//COMINT//NOFORN//MR specified in the Order. Similarly, subsequent internal NSA oversight ofNSA's use of BR FISA material also appears to have focused on ensuring that:
e; Homeland

Mission Coordinators were applying the RAS standard

correctly;
e

Proper acces~ control and labeling procedures were in place to ensure BR PISA material was controlled appropriately;

e1

The Agency was receiving and archiving the correct BR FISA telephony metadata;

The Agency's dissemination of BR FISA reports containing US telephone identifiers were handled consistently with the terms of the Bl.1-siness Records Order and NSA reporting policies; and

A process was put in place to conduct some auditing of tlie queries of the
BR PISA data repository.

(TS//SI/INF) Furthermore; from a technical standpoint, there was no single person who had a complete technical understanding of the BR PISA system architecture. This probably also contributed to the inaccurate description of the alert list that NSA included in its BR FISA reports to the Court.
IV. (U) Corrective Actions:

A. (TS) Tb.e Alert List

(TS//SI//NF) Since DoJ reported this compliance matter to the Court on


15 January 2009, NSA ha~ taken a number of co1Tectivumeasures, to include immediate

TOP SECRET//COI\1INT//NOFORN//MR - 19 -

1846 & 1862 PRODUCTION 5 MARCH

200~

-h~-

TOP SECRET//COMrnT//NOFORN//MR steps to sequester, and shut off analyst access to, any alerts that were generated from comparing incoming BR FISA material against non-RAS approved identifiers. NSA also immediately began to re-engineer the entire alert process to ensure that material acquired pursuant to the Court's Business Records Order is only compared against identifiers that have been determined to satisfy the RAS standard since this was the description of the process that the Agency had provided to the Court. After an initial effort to fix the problem resulted in an u.nlntended configuration of the revised automated alert process, NSA shut down the automated alert process entirely on 24 January 2009. (This configuration error resulted in DoJ filing a Supplemental Notice of Compliance Incident

with the Court on 3 February 2009.) The automated alert process for BR FISA data will
remain shut down lllltil the Agency can ensure that all the intended changes to the automated BR FISA alert process will operate as intended and in a manner that match the descriptions NSA has provide to the Court. As appropriate, NSA plans to keep DoJ and the Court informed concerning the progress of this effort.

(TS//SI//NF) In short, this redesign of the alert process will ensure that it is implemeq.ted in a manner that comports with. the Court's Orders. NSA currently contemplates that there will actually be two, physically separate, alert lists. One list will consist solely of RAS approved identifiers and only this list will be used as a comparison point against the incoming BR FISA material. The second list will consist of a mix of RAS and non-RAS approved identifiers but will not be compared against the BR PISA data. In other words, BR FISA data will not be compared against non-RAS approved identifiers.

TOP SECRET//COJV1INT//NOFORN//MR

- 20 1846 & 1862 PRODllr.T I nf\I Fi MARr.1-1 ?nno


--i::LI.--

TOP SECRET//COMINT//NOFORN/IMR

B. (U) Other Measures Being Taken to Better Ensure Compliance With the Court's Orders
(TS//SL'/NF) In addition to the immediate measures the Agency took to address the compliapce incident, I directed that the Agency complete ongoing end-to-end system engineering and process reviews (technical and operational) ofNSA's handling of BR PISA material to ensure that the material is handled in strict compliance with the terms of the Business Records Order anq the Agency's descriptions to the Court.
12

Detailed below are components of this end-to-end review and other steps being taken by

NSA to ensure coinpliance with the Court's Orders. 13

(TS//SI//NF) For example,

as part of the review that I have ordered, the Agency is

examining the "Transaction Portal" analysts use to conduct one (1) hop chaining on RAS approved telephone identifiers for the purpose of validating network contacts, identified through previous, properly authorized contact chaining, for reporting on terrorist contacts

with domestic telephol;le identifiers. The existing query mechanism for the Transaction
Portal limits each query to a single "hop." In order that the results do not exceed the three (3) hop limit imposed by the Business Records Order the identifier entered by an analyst must either be RAS approved or must be within two (2) hops of the RAS approved identifier. Results from the query are returned to the analyst as a list of all individual call records associ.ated with the identifier for the query. In theory) an analyst

12 (S) NSA's SIGINT Director has directed similar reviews for some of the other sensitive activities NSA undertakes pursuant to its SIGINT authorities, to include certain activities that are regulated by the FISA, .such as NSA's analysis of data received pursuant to t h e - I f the Agency identifies any compliance issues related to activities undertaken pursuant to FISC authorization, NSA will bring such issues to the attention ofDoJ and the Court.

(TS//Sl//NF) The results of this end-to-end review will be made available to DoJ and, upon request, to the FISC. --.

13

TOP SECRET//COMJ}ff//NOFORN//MR

- 21 -

1846 & 1862 PRODUCTION 5 MARCH

200~

-~~-

TOP SECRET//COMINT//NOFORN//MR
could conduct a series of one-hop queries to effectively conduct a multi-hop chain of the BR PISA data. The Agency is investigating whether software safeguards can be . developed to enforce the three hop limit imposed by the Business Records Order.

(TS//SI//NF) NSA initiated a review of the domestic identifiers on the "station table" that NSA uses as its historical record of RAS approval decisions on approved telephone identifiers so that NSA will be certain the Agency is in compliance with all aspects of the Business Records Order, to include the Agency's previous representations to the Court. As NSA's historical listing of all telephone identifiers that have undergone a RAS determination, the station table includes the results of each determination (i.e., RAS approved or not RAS approved).

(TS//SI//NF) Similar to the reviews of the Transaction Portal ind the station table, NSA is examining other aspects of the Agency's technical architecture, to ensure that NSA' s technical infrastructure has not allowed, and will not allow, non-approved selectors to be used as seeds for contact chaining of the BR FISA data.
'

NSA will report to DoJ and the Court if this examination of the technical infrastructure reveals any incidents of improper qerying of the BR PISA data repository.

(TS//SI//NF) Although the Agency and DoJ have conducted previous audits of queries made against the BR FISA data, in resp.onse to the BR Compliance Order as well as in light of recent instances of in1proper querymg that were the subject of separate notices to the Court, the Agency initiated an audit of all queries made of the BR FISA data repository since 1November2008 to determine if any of the queries during this

TOP SECRET//COMINT//NOFORN//MR.
-22-

1846 & 1862 PRODUCTION 5 MARCH 2009 -56-

TOP SECRET//COMINT//NOFORN//MR
timeframe were made on the basis of non-RAS approved identifiers. While this review is still ongoing, to date this review has revealed no instances of improper querying of the BR FISA data repository, aside from improper queries made by two (2) analysts who were the subject of a previous compliance notice to the Court. From the time these two analysts were granted access to the BR PISA data repository on 11 and 12 December 2008 until the time NSA terminated their access in January 2009, these two analysts were responsible for 280 improper queries.

(TS//SI/JNF) Also, in response to some earlier instances of improper analyst queries of the BR FISA data repository that were recently discovered and reported to the Court, the Agency scheduled and delivered ill-person briefings for all NSA personnel who have access to the BR FISA data archive to remind them of the requirements and their responsibilities regarding the proper handling of BR FISA material. NSA management personnel delivered these briefings with direct support from the Office of General Counsel and NSA's SIGINT Oversight & Compliance Office. In addition to the in-person briefings, all personnel with access to the BR PISA data archive have also received a written reminder of their responsibilities. As a follow-on effort, NSA's SIGINT Oversight & Compliance Office also initiated an effort to re-design the Agency's training for NSA operational personnel who require access to BR FISA material. The new training will include competency testing. If an analyst cannot achieve a passing grade on the test, he or she will not receive access to the BR FISA data repository.

(TS//SI//NF) In an effort to eliminate the type of querying mistakes of the archived data that were the subject of other, separate co.mpliance notices to .the Court,

TOP SECRET//CO:rv.m.--rT//NOFORN//MR
- 23 -

TOPSECRETfiCOMINT//NOFORNfiMR
see, e.g., DoJ Rule lO(c) Notices, filed 21January2009 and 26 January 2009, NSA is

implementing changes to the system that analysts use to conduct contact chaining of the BR FISA repository so that the system will not be able to accept any non-RAS approved identifier as the seed identifier for call chaining analysis. Only a limited number of NSA pers01mel will possess privileges that would allow the new safety feature to be bypassed temporarily. NSA anticipates that the feature would only be bypassed for time sensitive queries where an NSA Homeland Mission Coordinator has determined that the seed identifier satisfies the RAS standard but operational priorities cannot wait for the formal update of the list of RAS approved identifiers to take effect within the system. Additionally, NSA is implementing software changes to the system that will limit the number of chained hops to only three from any BR FISA RAS approved selector.

VJ. (U) Answers to Court's Specific Question.s:


(TSl/Sll/NF) Question 1: Prior to Janumy 15, 2009, who, within the Executive Branch,
knew that the "alert list" that was being used to query the Business Record database included telephone identifiers that had not been individually reviewed and determined to meet the reasonable and articula~le suspicion standard? Identify each such individual by name, title, and specifY when each individual learned this fact.

(TS//SI//NF) Alllswer 1: As explained in the Agency's answer to Question 3, below, after DoJ identified this matter as a potential issue during DoJ' s visit to NSA on 9 January 2009, numerous NSA and DoJ pers01mel were briefed about the problem. Accordingly, the identities of the some of the key personnel informed of the compliance

TOP SECRET//COMINT//NOFORN//MR
- 24 -

1846 & 1862 PRODUCTION 5

MAR~H

?nnR

-~R-

TOP SECRET//COMINT//NOFORN//MR issue on or after 9 January 2009 are discussed in the answer to Question 3. The NSA personnel who, prior to 9 January 2009, lmew, or may have known, that the alert list contained both RAS and non-RAS approved identifiers and were run against the incoming BR FISA data are as follows:

Title Program Mgr CT Special Projects, SID


Deputy Program Mgr, CT Special Projects, SID

Date of Knowledge May 2006

Dist:ro for Reports

Yes

May 2006

Yes

Deputy Program Mgr, CT Special Projects, A&P, SID

May 2006

Yes

NSA/OGC Attorney May 2006 NSA/OGC Attorney May 2006 May2006

Yes
Yes

No

Computer Scientist May 2006 SIGINT Dev'ment Strategy & Governance Tech Director HSAC, SID Deputy Chief HSAC, SID Computer Scientist HSAC, SID Tech Support May 2006

No

No No No No

January 2009

May 2006
MAY 20_9_?

TOP SECRET//COMINT//NOFORN//MR

-25 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -59-

TOP SECRET//CO:Ml}.TT//NOFORN//MR
Mission Systems Mgmt, HSAC, SID

As ordered by the Court, the listing identifies the relevant personnel by their name, the title of the person's position with the Agency at the ti.me they learn~d, or may have learned, that non-RAS identifiers were being run against the incoming BR FISA data, and the estimated date this information did or may have come to their attention. - whose n~e is denoted by an asterisk (*) 1 has retired from Government service. Please note that the listing also indicates whether a person on the list was also on distribution for NS A's reports to the Court that contained the inaccurate description of the
alert list. This does not mean that an individual who was on distribution for the reports
was actually familiar with the contents of the reports.

(TS//SI//NF) In addition to the individuals identified above, there were at least


three (3) individuals ~eluded as named addressees on her email

concurrence to SIGINT Directorate's BR FISA implementation procedures on 25 May


2006. These individuals-

(NSA/OGC),

(NSA/OGC),

and

(SID Data Acquisition) - are not included in the listing since they

appear to have received the email for information purposes only and, based on conversations with each, do not appear to have been familiar with the implementation procedures that were attached to the email.

(TS//SI//NF) It should also be noted there are an indeterminate number of other NSA persopnel who lrnew or may have known the alert list contained both RAS and nonRAS selectors, but these personnel were not fonnall}'.~briefed on how the alert process

TOP SECRET//CO:MIN"T//NOFORN//lvlR
- 26 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -60-

TOP SBCRBT!/COMlNT//NOFORN/IMR
worked and were not responsible for its operation.. Instead, they received alerts for the purpose of assessing RAS. Based on information ~vailable to me, I conclude it is unlikely that this category of personnel knew how the Agency had described the alert process to the Court.

(TSllSI!INF) Question 2: How long has the unauthorized querying been conducted?

(TS//SI//NF) Answer 2: The comparison of the incoming BR PISA material against the identifiers .listed on the alert list began almost as soon as the first Business Records Order was issued by the Court on 24 May 2006.

(TS//SUINF) Ouestion 3: How did the unauthorized querying come to light? _Fully

describe the circumstances surrounding the revelations.


(TS//SI//NF) Answer 3: On 9 January 2009, representatives :fi.:om the Department of Justice met with representatives from NSA in order to receive a briefing on NSA's handling of BR PISA material and then participated in a roundtable discussion of the BR PISA process. 14 During this briefing and follow-on discussion, DoJ representatives asked about the alert process. Upon receiving a description of the alert process from a representative ofNSA's SIGINT Directorate, DoJ expressed concern that NSA may not have accurately described the alert list in its previous reports to the Court. After confirming its initial concern via an email response from NSA on 14 January 2009 to questions posed via email on 9 !anuary 2009, DoJ .filed a notice with the Court on

(TS//SIJ/NF) NSA records indicate DoJ personnel attended at least eight BR FISA oversight sessions prior to the session on 9 January 2009 when the error was discovered but there is no indication that the use of non-RAS approved identi:(iers on the alert list was eve"f"raised:or discussed at these prior sessions.

14

TOP SECRET/!COMINT!/NOFORN/IIYlR
-27 -

1846

1862 PRODUCTION 5 MARr.H

?nn~

-n1-

TOP SECRET//COMINT//NOFORN//MR
15 January 2009 regarding this compliance matter. The following individuals participated in the briefing and discussion on 9 January 2009:

NSA Attendees

DoJ Attendees

(b)(3); (b)(6)

(S) I understand that DoJ informed the FBI's Office of General Counsel of this compliance incident on 23 January 2009. In addition, on 30 January 2009, I personally mentioned to the new Director of National Intelligence ("DNI''), Dennis , .. Blair, that NSA was investigating this compliance matter. The DNI received additional infonnation about the compliance incident on 4 February 2009, from the DNI General Counsel, Benjamin Powell, and on 12 February 2009 I provided further information to the DNI regarding the incident. Internally, NSA notified its Inspector General.ofthis compliance matter sometime after DoJ notified the Court on 15 January 2009. In accordance with Department of Defense requirements, NSA is in the proce~s of formally reporting this compliance matter to the Assistant Secretary of Defense for Intelligence Oversight as part ofNSA's current Quarterly Intelligence Oversight Report. In the manner specified by Department of Defense and DNI regulations, the Quarterly Report will also be provided

TOP SECRET//COMINT//NOFORN/!MR
-28 -

TOP SECRET//COMINT//NOFORN//MR IOB will occur, concurrent with, or shortly after the filing of this declaration with the Court. In addition to preparing the formal notification required by the Defense Department's procedures, on 10 February 2009 I provided detailed information about this compliance matter to the Undersecretary of Defense for Intelligence, James Clapper.

(TSl!SI//NF) Question 4: The application signed by the Director of the Fede1al Bureau

ofInvestigation, the Deputy Assistant Attorney General for National Security, United States Department ofJustice ("DOJ"), and the Deputy Attorney General ofthe United States as well as the declaration o Deputy Program Manager at the

National Secw.ity Agency ("NSA "), represents that during the pendency. of this order, the

NSA Inspector General, the NSA General Counsel, and the l'{SA Signals Intelligence
.

Directorate Oversight and Compliance Office each will conduct reviews ofthis program. Docket BR 08-13, Application. at 27, Declaration at 11. The Court's Or:der directed such review. Id, Primary Order at 12. Why did none of these entities that were ordered to conduct oversight over this program identifY the problem earlier? Fully describe the manner in which each entity has exercised its oversight responsibilities pursuant to the Prima1y Order in. this docket as well as pursuant to similar predecessor Orders authorizing the bulk production of telephone metadata.
(TS//SI//NF) Answer 4: As described earlier in this declaration, the oversight activities ofNSA's Office of General Counsel, Office oflnspector General, and SIGINT Directorate Oversight & Compliance Office generally focused on how RAS dete1minations were made; the ingestion of BR FISA data; and ultimately on the querying of BR FISA data once it had been stored in_fue data repository NSA maintains

TOP SECRET//COMINT//NOFORN//MR
- 29-

TOP SECRET//COMINT//NOFORN//MR for BR FISA data. From May 2006 until January 2008, there were monthly, in-person
"due diligence" meetings of oversight and operational personnel to.monitor NSA's

implementation of a number of sensitive NSA SIGINT activities, to include NSA' s activities under the Business Records Order. 15 Although each office exercised regular oversight of the program. the initial error in the description of the alert list was not caught by either the Office of General Counsel nor the SIGINT Directorate's Oversight & Compliance Office. (TS//SI/!NF) Ag~ncy records indicate that: in April 2006, when the Business Records Order was being proposed, NSA's Office oflnspector General ("OIG'') suggested to SID personnel that the alert process be spelled out in any prospective Order

for clarity but this suggestion was not adopted. Later in 2006 when OIG conducted a
study regarding the adequacy of the management controls NSA adopted for handling BR FISA material, OIG focused on queries of the archived data since the SIGINT Directorate had indicated to OIG through internal correspondence that the telephone identifiers on the alert list were RAS approved. OIG' s interest in the alert list came from
OI G's understanding that the alert list was used to cue automatic queries of the specific

analytic database where the BR FISA material was stored by the Agency. At least one employee of the SIGINT Directorate thought that OIG had been briefed about how the alert process worked. Regardless of the accuracy of this employee's recollection, like other NSA offices OIG also believed that the "archived data" referred to in the order was the analytic repository where NSA stored the BR PISA material.
15 (S//SI) The Agency canceled the due diligence meetings in January 2008 since NSA management determined that monthly, in-person meetings were no longer ne_!::_essary.

TOP SECRET//COMINT//NOFORN//MR
- 30 - 1R4S R. 1Rfi2 PRnn11r.T1nN h MARr.1-1 ?nn1:1 -hLl.-

TOP SECRET//COMINT/!NOFORN//MR, (TS//SVINF) OIG continued to monitor NSA's implementation of the Business Records Order throughout the relevant timeframe (2006-2009) by reviewing specific BR FISA compliance incidents; follo"wing up with the relevant NSA organization regarding the status ofrecommendations OIG made in a Special Study report on the

BR FISA dated 5 September 2006; and attending the due diligence meetings NSA held
until January 2008 regarding the status of a number of sensitive NSA SIGJNT activities,

to include the BR FISA activity. With respect to OIG's monitoring of the SIGINT
Directorate's progress in implementing recommendations from OIG's September 2006 Special Study, OIG asked for and evaluated the SIGINT Directorate's progress responding to OIG's recommendations.

(TS//SI/!NF) Since the issuance of the first Business Records Order in May 2006,
the BR FISA activity has received oversight attention from all three NSA organizations

charged by the Court with conducting oversight. For example, in addition to OIG's oversight activities mentioned above, beginning in August 2008 the SIGINT Directorate, with support from the Office of General Counsel, has conducted regular spot checks of analyst queries of the BR FISA data repository. The Office of General Counsel has also had regular interaction with SIGINT and oversight personnel involved in BR FISA issues

in order to provide legal advice concerning access to BR PISA data. The Office of
General Counsel has also conducted training ~or personnel who require access to BRFISA material; participated in due diligence meetings; and prepared materials for the renewal of the Business Records Order. All of these activities allowed the Office of General Counsel to monitor the Agency's implementation of the Business Records Order.

TOP SECRET//COMINT//NOFORN/IMR
- 31 ,. ...

TOP SECRET//CO:MINT//NOFORN//MR
(TS//SI/INF) As a further illustration of the attention the Agency paid to the

BR FISA Order, attached to this declaration are, respectively, copies of the Court-ordered
review ofNSA's BR FISA implementation, dated 10 July 2006, which was conducted jointly by OIG and the Office of General Counsel (Exhibit F); the SIGINT Oversight & Compliance Office's BR FISA Audit Plan from 11July2006 (Exhibit G); OIG's September 2006 Special StUdy of the BR FISA(previously identified as Exhibit E); and the implementation procedures for the Business Records Order that were reviewed and approved by NSA's Office of General Counsel' (previously identified as Exhibit B).

(TS//SI/INF) In addition, it is important to note that 1:-JSA personnel were always


forthcoming with internal and external personnel, such as those from the Department of Justice, who conducted oversight of the Agency's activities under the Business Records Order. I have found no indications that any personnel who were knowledgeable of how NSA processed BR FISA material ever tried to withhold information from oversight personnel or that they ever deliberately provided inaccurate information to the Court.

(I'Sl/SillNF) Ouestion 5: The preliminmy notice from DOJ states that the alert list

includes telephone ide,ntifiers that have been tasked/or collectionin accordance with NSA 's SIGINT authority. What standard is appliedfor tasking telephone identifiers under NSA 's SIGINT authority? Does NSA, pursuant to its SIGINT authority, task telephone identifiers associated with United States persons?

lfso, does NSA limit such

identifiers to those that were not selected solely upo': the basis ofFiist Amendment protected activities?

TOP SECRET//COI\11NT//NOFORN//MR
-32 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -66-

TOP SECRET//COMil'JT//NOFORN//MR
(TS//SI//NF) Answer 5: SIGINT Tasldng Standard: Although the alert list included telephone identifiers of counterterrorism targets that had not been assessed against the RAS standard or had been affirmatively determined by NSA personnel riot to meet the RAS standard, such identifiers were not tasked in a vacuum. Whether or not an identifier is assessed against the RA~ standard, NSA personnel may not task an identifier for any sort of collection or analytic activity pursuant to NSA's general SIGINT authorities 1:nder Executive Order 12333 unless, in their professional analytical judgment, the proposed collection or analytic activity involving the identifier is likely to produce information of foreign intelligence value. In addition, NSA' s counterterrorism organization conducted reviews of the alert list two (2) times per year to ensure that the categories (zip codes) used to identify whether telephone identifiers on the alert list remained associated w i t h - or one of the other target sets covered by the Business Records Order. Also, on occasion the SIGINT Directorate changed an identifier's status from RAS approved to non-RAS approved.on the basis of new information available to the Agency.

(U) US Person Tasldng: NSA possesses some authority to task telephone identifiers associated with US persons for SIGINT collection. For example, with the US person's consent, NSA may collecfforeign communications to, from, or about the US person. In most cases, however, NSA's authority to task: a telephone number associated with 8: US person is regulated by the FISA. For the Court's convenience, a more detailed

description of the Agency's SIGINT authorities follows, particularly 171'.ith respect to the collection and dissemination of information to, from, or about US persons.

TOP SECRET//COMWT//NOFORN//MR
- 33 -

TOP SECRET//COI\1INT//NOFORN//MR (fS//SI//NF) NSA's general SIGINT authorities are provided by Executive Order

12333, as amended (to include the predecessors.to the current Executive Order); National
Security Council Intelligence Directive No. 6; Department of Defense Directive 5100.20; and other policy direction. In particular, Section 1.7(c) of Executive Order 12333 specifically authorizes NSA to "Collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information for foreign intelligence and counterintelligence purposes to support national and departmental missions." However, when executing its SIGINT mission, N~A is only authorized to collect, retain or disseminate information concerning United States persons in accordance

with procedures approved by the Attorney General. 16 The current Atto~ey General
approved procedures that NSA follows are contained in Department of Defense Regulation 5240.1-R, and a classified annex to the regulation governing NSA' s electronic

surveillance activities.

(U) Moreover, some, but not all, ofNSA's SIGINT activities are also regulated by
the Foreign Intelligence Surveillance Act. For example, since the amendment of the FISA in the summer of2008, ifNSA wishes to direct SIGINT activities against a US person located outside the United States, any SIGINT collection activity against the US person generally would require issuance of fill order by the FISC. For SIGINT activities executed pursuant to an order of the FISC, NSA is required to comply with the tem1s of

TOP SECRET//COMINT//NOFORN//MR

- 34-

1846 & 1862 PRODUCTION 5 MARCH 2009 -68-

TOP SECRET//COMINT//NOFORN//lvfR
the order and Court-approved minimization procedures that satisfy the requirements of

50 u.s.c. 180101).
(U) First Amendment Considerations: For the following reasons, targeting a US person solely on the basis of protected First Amendment activities would be inconsistent with restrictions applicable to NSA' s SIGINT activities. As part of their annual intelligence oversight training, NSA personnel are required to re-familiarize themselves with these restrictions, particularly the provisions that govern and restrict NSA' s handling of information of or concerning US persons. Irrespective of whether specific SIGINT activities are undertaken under the general SIGINT authority provided to NSA by Executive Order 12333 or whether such activity is also regulated by the FISA, NSA, like other elements of the US Intelligence Community, must conduct its activities "with full consideration of the rights of United States persons." See Section 1.l(a) of Executive Order 12333, as amended. The Executive Order further provides that US intelligence elements must "protect fully the legal rights of all United States persons, including freedoms, civil liberties, and privacy rights guaranteed by Federal law." Id. at Section

l.l(b).

(U) Consistent with the Executive Order's requirement that each intelligence agency develop Attorney General approved procedures that "protect constitutional and other legal rights'' (EO 12333 at Section2.4), DoD Regulation 5240.1-Rprohibits DoD intelligence components, including NSA, from collecting or disseminating information concerning US persons' "domestic activities" which are defined as "activities that take place in the d~mestic United States that do not_invQ_~ve a significant co~~ction to a

TOP SECRET//COMINT/!NOFORN//MR
- 35 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -69-

TOP SECRET//COMINT//NOFORN//MR foreign power, organization, or person." See, e.g., Section C2.2.3 of DoD Regulation 5240.1-R. fulight of this language, targeting a US person solely .on the basis of protected First Amendment activities would be inappropriate.

(TS//SI/INF) Ouestion 6: In what form does the government retain and disseminate information derived.from queries run against the business records data archive?
(TS//SI//NF) Answer 6: Through 29 July 2008, NSA archived the reports the Agency disseminated from its analysis of data in the BR FISA data repository in a special program-specific limited access data repository as well as on a restricted

access group of Lotus Notes servers. Reporting was transitioned to traditional NSA "ISeries" format on 29 July 2008. I-Series reports are retained in NSA's limited access sensitive reporting data repository also kept in
~----

Copies of the I-Series reports are

to allow them to be searched with spec~al ~o:ftware tools. In

addition, the I-Series reports are stored on ESECS, the Extended Enterprise Corporate Server. Access to these reports in ESECS is appropriately restricted. As directed by the Business Records Order, information in the BR PISA data archive is retained five (5) years. (TS//SI//NF) In response to Question 6, the Agency has also conducted a review of all 275 reports of domestic contacts NSA has disseminated as a result of contact
chaining

of the NSA's archive of BR FISA material. 17 NSA has

(TS//Sl//NF) Note that a single report may tip more than one telephone identifier as being related to the seed identifier. As a result, the 275 reports have tipped a total of2,549 telephone identifiers since 24 May 2006, Also note that, of the 275 reports that were disseminated, 31 resulted from the automated alert process.

17

TOP SECRET//CO:rvo:NT//NOFORN/!MR
- 36 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -70-

TOP SECRET//CONITNT//NOFORN//Jv.lR
identified no report that resulted from the use of a non-RAS approved identifier as the initial seed identifier for chaining through the BR PISA material. 18 Of the 2 7 5 reports that were generated, 22 reports were based on a US identifier serving as the initial seed identifier. For each of these reports, the initial US seed identifier was either already the subject ofFISC-approved surveillance based on the FIS C's finding of probable cause to believe that they are used by agents of r the initial US seed identifier had been reviewed by NSA' s Office of General Counsel as part of a RAS determination to ensure that the RAS detennination was not based solely on a US person's protected First Amendment activities. Almost invariably, the RAS determinations that the Office of General Counsel reviewed were based on direct contact between the telephone identifier and another identifier already known to be associated with one of the terrorist organizations or entities listed in the Business Records Order.

(TS//SI//NF) For the Court's convenience, a copy of the type ofreport that NSA
was issuing prior to 9 January 2009 is attached to this declaration as Exhibit H so the Court can see how the material was reported and to whom. Also attached as Exhibit I is an exan1ple of an alert generated by the automated alert system, prior to the Agency's decision on 23 January 2009 to shut down the BR FISA alerts. (The decision was actually effected in the early morning hours of24 January 2009).

18 (TS//SI//NF) The Agency has identified one (1) report where the number on the alert list was not RAS approved when the alert was generated but, after receiving the alert, a Homeland Mission Coordinator determined that the identifier, in fact, satisfied the RAS standard. After this determination, the Agency subsequently used the identifier as a seed for chaining in the BR PISA data archive. Ultimately, information was developed that led to a report to the FBI that.~:pped 11 new telephone ~d_entifiers.

TOP SECRETl/COMINTl!NOFORNllMR
- 37 -

1846 & 1862 PRODUCTION

s MARr.H

2nn~

-71-

TOP SECRET//CO:MINT/INOFORN//MR (TS//SI//NF) Unlike reports, which NSA disseminated outside NSA, the alerts were only disseminated inside NSA to SIGINT personnel responsible for counterterrorism activity. Initially, if an identifier on the alert list generated an alert that the identifier had been in contact with an identifier in the United States, the alert system masked (i.e., concealed) the domestic identifier. Later, in January 2008, the SIGINT Directorate allowed the alerts to be sent to analysts without masldng the domestic identifier. NSA made this change in an effort to improve the ability of SIGINT analysts, on the basis of their target lmowledge, to prioritize their work more efficiently.

(TSllSillNF) Question 7:

If ordered to do so, how would the government identify and

purge information derived from queries run against the business records data archive using telephone identifiers that were not assessed in advance to meet the reasonable and articulable suspicion standard?

(TS//SI//NF) Answer 7: NSA has not authorized its personnel to use non-RAS approved identifiers to conduct chaining or pattern analysis ofNSA's analytic repository of BR FISA material. On those occasions where improper querying of this data archive has been discovered, the Agency has talcen steps to purge data and correct whatever deficiencies that led to the querying mistakes.

(TS//SI/INF) With respect to the alert process, after this compliance matter surfaced, NSA identified and eliminated analyst access to all alerts that were generated from the comparison of non-RAS approved identifiers against the incoming BR FISA material. The only individuals who retain continued access to tlus class of alerts are the

TOP SECRET//COMJNT//NOFORN//MR

- 38 -

TOP SECRET//COMINT//NOFORN//MR Technical Director for NSA's Homeland Security Analysis Center ("HSAC") and two system developers assigned to HSAC. From a technical standpoint, NSA believes it could purge copies of any alerts that were generated from comparisons of the incoming BR PISA information against non-RAS approved identifiers on the alert list. However, the Agency, in consultation with DoJ, would need to determine whether such action would conflict with a data preservation Order the Agency has received in an ongoing litigation matter.

VTI. (TS//SI//NF) Value of the BR FISA Metadata

(TS//SI//NF) As discussed in prior declarations in this matter, including my declaration in docket number BR 06-05, access to the telephony metadata collected in this matter is vital to NSA's counterterrorism intelligence mission. It is not possible to target collectiori solely on knovvn. terrorist telephone identifiers and at the same time use the advantages ofmetadata analysis to discover the enemy because ~peratives o .

collectively, the "Foreign Powers") take affirmative and intentional steps to disguise and obscure their communications and their identities. They do this using a variety of tactics, including, regularly changing telephon~ numbers,

The only effective means by which NSA analysts are able continuously to keep track of the Foreign Powers, and all operatives of the Foreign

TOP SECRET//COMINT//NOFORN//MR

- 39 -

TOP SECRET//CO:MINT/INOFORN//MR
Powers making use of such tactics, is to obtain and maintain telephony metadata that will permit these tactics to be uncovered. (TS//SI//NF) Because it is impossible to determine in advance which particular piece of metadata vvill turn out to identify a terrorist,. collecting metadata is vital for success. To be able to exploit metadata fully, the data must be collected in bulk. Analysts know that the terrorists' telephone c~ls are located somewhere in the billions of data bits; what they cannot know ahead of time is exactly where. The ability to accumulate metadata substantially increases NSA's ability to detect and identify members Of the Foreign Powers. Specifically, the NSA performs queries on the metadata: contact-chaining (TS//SI/INF) When the NSA performs a contact-chaining query on a terroristassociated telephone identifier computer algorithms will identify all the contacts made by that identifier and will automatically identify the further contacts made by that first tier of contacts. In addition, the same process is used to identify a third tier of contacts, whlch includes all identifiers in contact with the second tier of contacts. The collected metadata thus holds contact information that can be immediately accessed as new terroristassociated telephone identifiers are identified. Multi-tiered contact analysis is useful for telephony, because unlike e-mail, whlch involves the heavy use of spam, a telephonic device does not lend itself to simultaneous contact with large numbers of individuals. (TS//SI//NF) One.advantage of the metadata collected in this matter is that it is historical in nature, reflecting contact aetivity from the past that cannot be captured in the present or prospectively. In addition, metadata may also be very timely and well suited for alerting against suspect activity. To the extent that historical connections are

TOP SECRET//COMINT/tNOFORN//MR

TOP SECRET//COMINT//NOFORN//11R important to understanding a newly-identified target, metadata may contain links that are absolutely unique, pointing to potential targets that otherwise would be missed.

TOP SECRET//COI\1INT//NOFORN/IMR
- 41 -

TOP SECRET//COMJNT//NOFORN/!MR

(TS//SIJ/NF) The foregoing discussion is not hypothetical. As noted previously~ since inception of the first Business Records Order, NSA has provided 275 reports to the FBI. These reports have tipped a total of2,549 telephone identifiers as being in contact with identifiers associated with and

affiliated terrorist organizations. Upon receipt of the reporting from NSA, the FBI has sent investigative leads to relevant FBl Field Offices for investigative action. FBI representatives have indicated to NSA as recently as 9 February 2009 that the telephone contact reporting has provided leads and linkages to individuals in the U.S. with potential terrorism ties who may not have otherwise been lcno-wn to or identified by the FBI. For example, attached as Exhibit J is feedback from the FBI on the report that NSA has included as Exhibit H.

TOP SECRET//COMINT//NOFORN//I\lfR -42-

TOP SECRET//COMJNT//NOFORN//NlR

(U) I declare under penalty of perjury that the facts set forth above are true and

correct.
ti~

Lieutenant General, U.S. Anny Director, National Security Agency

KE!Jfr~
()
,2009

Executed this / JTli day of

~~<

TOP SECRET//CO.MINT//NOFORN//MR

1846 & 1862 PRODUCTION 5 MARCH 2009

-78-

(b)(1); (b)(3); (b)(6)

(CIV-NSA)D2.1;
CIV-NSA)-;

CIV-NSA) D21; -

Classification: TOP SECRET//CO:MINT//NOFORN//MR


Shift Supervisors, OGC has added clarification language to the proce_dures the modified document. ent earlier today. Please use

11!1!1111111

If you would like to discuss further tomorrow, please contact

(I'm on leave).

Office of Ge~ 963-3121(s)/--Ops2B, 288134, Suite 6250

~---Ori~

From:----(CIV-NSA) S2I5 Sent: Thursda Ma 25 2006 2: 13 PM (CTV-NSA) D21; 1 (CIV-NSA) (CIV-NSA) S Subject: (U) Proposed Interim Procedures.

(CTV-NSA)D21-

(CIV-NSA)

Classification: TOP SECRET//COMINT//NOFORN//MR

OGC, please review and provide comments.

Thanks,

...

1111

(b)(1); (b)(3); (b)(6)

suAe6276
Classification: TOP SECRET//COMINT//NOFORN/JMR

1846 & 1862 PRODUCTION 5 MARCH 2009

-81-

TOP SECRBT//CON.IJNT//NOFORN//20310403
(C) Interim procedures to ensure CT AAD is in compliance with PISC Business Records Order:

1. (TS//SI/NF) All foreign telephone numbers analyzed against the PISA Business
Records acquired under Docket Number: BR 06~05 approved on 24 May 2006 will ~dhere to the following: e ThE ALERT processing system will provide a selective notification to the NSA CT AAD Shift Coordinator that a PISA Business Record transaction has been received. This notification will contain only the foreign telephone number and collection bin category. This notification will only occur when the foreign number in the transaction matches the foreign telephone number residing in that collection bin. Tiris notification will include no domestic numbers and oc~urs prior to any chaining whatsoever. 111 The CT AAD Shift Coordinator will examine the foreign number and determine if that articular tele hone number has been reviously ased on associated with the standard articulated by the Court . Reasonable articulable suspicion must be based on a totality of the circumstances and can be met by any number of factual scenarios. However, if a seed number is of interest only because of its direct contact with one other number, that other number must be known by some identifiable standard (probably or possibly) to be used by organization. If you are unsure afw e er e stan ar 1s met, p ease contact OGC. . a Once the CT AAD Shift Coordinator has made a positive determination the number will be processed for chaining - a g a i n s t the PISA Business Records acquire under Docket Number: BR 06-05.

2.
have been suspended. The exception is active FISC FISA approved telephone numbers. 3. (TS//SI/NF) CT A.AD will rebuild these collection bins starting with the selective notifications sent to. the NSA CT AAD Shift Coordinator that a FISA Business Record transaction has been received. (as describe above) 4. The CT AAD Shift must independently review each number gleaned from all published reports. For example NSA and CIA reporting

1 As articulated in the FISC Order, "access to the archived data will occur only when the NSA h.as identified a lrnown telephone number for which, based on the practical considerations of everyday life on which reasonable and prudent persons act, there are facts 'vin rise to a reasonable articulable suspicion that the telephone number is associated with Section SA.

Denve From:

CSSM 1-52 Dated: 20070108 Declassify On: 20310403

TOP SECRET//CO MINT//NOFORN//20310403

TOP SECRET//COMmT//NOFORN//20310403 5. (TS//SIINF) Simultaneousl the CT AAD will conduct a review of the approximate 12,000 umber which currently resided in these bins 6. (TS//SI/NF) These interim steps will allow all alerting processes to continue with the added measure necessary to comply with FISA Business Record order, Docket Numl?er: BR 06-05. FN 1: (TS//SI//NF) As articulated in the FISC Order, "access to the archived data shall occur only when NSA has identified a known teiephone number for which, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable articulable sus icion that the telephone number is associated with (BR Order, Docket BR 06-05, Section 5(A)).

TOP SECRET//COMINT/!NOFORN//20310403

1846 & 1862 PRODUCTION 5 MARCH 2009

-83-

1846 & 1862 PRODUCTION 5 MARCH 2009

-84-

I
LO

00

(May 06 - Jan 09)


Automatic
Only 125 Analysts Can Touch This Data

en
0
0

125 Analysts Only

n**

RAS Chaining

~
No

FBI.

No Chaining Until Here

Automatic Chain

Workflow decision based on available Homeland Mission Coordinators (HMC) and volume of alerts. determine if the combined information indicates the suspect phone selector is selector as defined by the Court.

** RAS decision by HMC, who evaluates all available intelligence and open source data to

a terrorist

Deri ~ed From: NSAJCSSM 1-52


Dated: 20070108 Declassify On: 20320108

TOP SEC

1846 & 1862 PRODUCTION 5 MARCH 2009

-86-

(b)(1); (b)(3); (b)(6)

(CTV-NSA) D21 (CIV-NSA) D21 Subject: (U) Report to Court on Business Record Activit/

CIV-NSA) 0 2 1 ; -

Importance: High

Classification: TOP SECRET//COlVllNT//ORCON/NOFORN//20291123


Hi allHere is where we stand on the metadata expire on Friday. All of the draft docs are In the shared directory, under DPSPROGRAM FISA/BUSINESS RECORDS/BR FISA AUG 96 RENEWAL, except there Is a separate folder entitled REPORTS TO COURT in wich the BR report is located.

We have sent to boJ draft copies of the application for renewal, the declaraton (whic-s going to complete, rather than the DIRNSA (unless DoJ squawks)), and the Orders. We should hear from them early in the week a - e e d e d revisions, and they want to provide to the judge on Thursday am. I am hopin an be in charge of changes to it, and ~an supervise and/or assist her. Attached is the Draft of the Report to the Court. This is NOT ready to go until it is~ by I have done my best to be complete and thorough, b u - . . . . - i needs to make sure everything I have slad is absolutely true, and you guys need to make sure it makes sense and wl!I satisfy the Court. You MUST feel free to edit as you think appropriate; dont stick to what I have said if there is a better way to say it. Someone needs to format the thing too, make sure spacing, numbering, etc are all good and we need to get this into POJ's hands as quickly as we are able.

Thanks for all your help and have a great week. -

Associate General Counsel (Operations) 963-3121

1846 & 1862 PRODUCTION 5 MARCH 2009

-87-

Derived From: NSA/CSSM1.,52 Dated: 20041123

Declassify On: 20291123 Classification: TOP SECRET//COMINT/IORCON/NOFORN/120291123

1846 & 1862 PRODUCTION 5 MARCH 2009

-88-

1846 & 1862 PRODUCTION 5 MARCH 2009

-89-

TOP SECRETllCOMIN

IORCON~NOFORNllMR

National Security Agency/Central Security Service

lnspectorGeneral Report
(TS/-/SI//NF) REPORT ON THE ASSESSMENT OF MANAGEMENT CONTROLS FOR IMPLEl\1.ENTING THE FOREIGN INTELLIGENCE SURVEILLANCE COURT ORDER: TELEPHONY BUSINESS RECORDS ST-06-0018 5 SEPTEMBER 2006

D!l:RlVED FROM: NSA/CSSM !-52

. DATED: 200411:23
DECLA8Slf1V ON: MR

TOP SECRETl!COMIN'E

IORCO~NOFORNllMR

1846 & 1862 PRODUCTION 5 MARCH 2009

-~n-

(U}

OFF~CE

OF THIE

~NSPIECTOR

GENERAL

(U) Chruterec} by t1ie Di.rector, NSA/Chie:E1 CSS, the Office of the Inspector General (OIG) co.nducts inspections, audits, and investigations. Its mission 'is to ensure the integrity, efficiency, and effectiveness of NSA/CSS operations; to provide intelligence oversight; to protect against fraud, waste, and nlismanagement of resources; and to ensure that NSA/CSS activities are conducted in compliance with the Constitution, laws, executive orders, regulations, and directives. The OIG also serves as om1n1dsman, assisting all NSA/CSS en~ployees and affiliates, civilian. and m.Uita.ry.

(U) INSPECTIONS
(U) The inspection fonction conducts management and program evaluations in the form of orgaitlzational and functional reviews, undertaken either as part of the OIG's annual plan or by management request. The hwpection team's findings are designed to yield accurate and up~to-date infonnation on the effectiveness and efficiency of entities and programs, along -with an assessment of compliance 'with laws and regulations; the reconu.nenda.tions for corrections or improvements are subject ta follovvup. The inspection office also pa.itners with the Inspectors General of the Service Cryptologic Ele1nents to conduct joint inspections of the consolidated cryptologic facilities.

(U) AUDITS
(U) The in.temal audit function is designed to J)l'D"\lide an independent a1:messment of programs and organizations. Performance audits evaluate the economy and efficiency of an entity or J;>rogram, as well as whether program objectives are being met and opera'lions are in co1111)lia.nce with regulations. Financial audits determine the accuracy of an entity's financial statements. All audits are c.onducted in acconlance vvith standards established by the Comptroller General of the United States.

(U) ,INVESTIGATIONS AIND SPECIAL NNQUIRIES

CU) The OIG administers a system for receiving and acting upon requests for assistance
or comp1aints (including anonymolIB tips) about fraud, waste and .mismanagement Investigations and Special Inquiries may be underta.ken. as a result of such request~ ot complaints; at tbe request of management; as the result of irregularities that surfoce dlU'ing an inspection or audit; or at the iuitiatl:'e ofthe Inspector Genera).

CREATIVE Jlv!AGING539B81 I 1019340

1846 & 1862 PRODUCTION 5 MARCH 2009

-91-

(b)(1); (b)(3); (b)(6)

TOP 8HCRE1//f. X).f\.f INJ

/(JUCON,NOFORN//l\..1'R.

OFFICE OF THE INSPECTOR GENERAL NATIONAL SECURITY AGENCY


CENTRAL SECURITY SERVICE

5 September 2006 IG-10693-06


TO: DISTRIBtJrION

SUBJECT: (TS// SI/ /NF) Report the Assessment of Management Controls for Implementing the Foreign Intelligence .Surveillance Colll}: (FISC) Order: Telep;IJ.ony Business Records (ST-06-0018)--ACTION ~MORANDUM L (TS/ /SI//NF) Tbis report"summarizes the results of our assessment
of Management ContTols for Implementing the FISC Order: Telephony Business Records. The report incorporates management's response to the draft report. 2. (U/ /FOUO) As required by NSA/CSS Policy 1-60, NSA/CSS Office of the Inspector General, actions on OIG audit recommendations are subject to inoru.toring an.d followup until completion. Consequently, we ask that you provide a written .status report conce.nl.ing each planned c01Tective action categorized. as "OPEN." The status report should provide sufficient :inforn-iatlon to show that co1Tective actions have been co1npleted. If a planned action will not be completed by the original target completion date, please state the reason for the delay ~target completion date. Status reports should be sent t o - A s s i s t a n t Inspector General, at OPS 2B, Suite 6247, within 15 calendar days after each target completion d~e. 3. (U/ /FOUO) We appreciate the courtesy and cooperation extended to the auditors tlrroughout th lartfication or additional infarn1ation, please contact sistant Inspector General, 011 963-2988 or via e-mail a

on

[?;ttt111!IJ&~tf'ri,19f!ltttlBRJAN R. MCANDREW
Acting Inspector Geneml

Derived From: NS.AlCS SM 1-52


I>ated: 20041123 Declassify On: MR

TOP 8ECR.E1//CONiJNT
1

0RCON.NOFORN//.MR .

1846 & 1862 PRODUCT! ON 5 MARCH 2009

-92-

r,.

TOP Sl?Cl~BT//COMINT

:;OHCON,NOF'ORN//M.R

DISTRIBUTION:
DIR

D/DIR SIGINT Director

SID Program Manager for CT Special Projects, S


Chief, SID O&C SSGlSID n'~stomer Relation~hips SID Deputy Director for .Analysis and Production
Chief, S2I5 SID Deputy" Director for Data Acquisition Chief, 8332 GC
AGC(O]

.,

TOP SECN.ET//COM.lNT
11

/ORCON.NOFORN//M.R

1846 & 1862 PRODUCTION 5 MARCH 2009

-93-

'POJJ r ..

1.

~E,,,...,,RJ; '1"})\i'/: ',.J L.~... ,.r, I l/t"'(P li.J Jr-" .

rl'

'/ORCON,NQf-:Y)Rlv//J.lfR
.!)T~06-0018

(TS/ /SI/ /Nf) ASSESSMENT Of MA.NAGEMENT

CONTROLS IFOR IMPLEMENTING 1HE FOREIGN INT'E~.. LIG!ENCE SURV'EillLAJNlCE COURT (FISC) ORDER~ TELEPHONY BUSINESS RECORDS
(TS//SI/ /OC,NF) lackgrou.md: The Order of the FISC issued 24 May 2006

Jn In. re Applt.ca.ti.on of the Federal Bu.re au of Investfgatlonjor an Ord.er Requ:lrir~

Pmd.u.ct!on of Tangible Tht11gs _from [Telecommunications Provid~rs] Re.Iatfng ~ in the. Urdt:ed Sta.tes and Abroad. o. - - ... e r er s es :ia e nspector General and the General Cm.msel shall submit a :report to the Director of NSA (DIRNSAJ 45 days after the j.nitiation of actJvity [permitted by the Order) .assessing the adequacy of management controls for the processing and dissemination of U.S. person information. DffiNSA shall provide the findings of that report to the Attorney General." The Office of the Inspector General (OIG), with the Office of the General Counsel's (OGC) concurrence, issued the aforementioned iepoit on 10 July 2006 in a memorandum wifu the subject PISA Cowt Order: Telephony Bustn.ess Records (ST-06-0018). Subsequently, DIRNSA sent the memorandum to the Attorney General. This report provides the details of our assessment of management controls that was reported to DIRNSA and makes formal recommendations to Agency management.

FINDING
(TS//SI/, '.iOCrNF) The management controls designed by tile

Agency to JJOijrern the processing, dissemination, data security,. anti


ovarsfghtofte!epfionynretadata and U.S. person lnibrma.tlon obtained under the Ord~r are adequate am:/ in several e.specf:s ex~d the mrms t.!Ee Order. Due to the risk associated with the oo!lectlon Bfltd processing OYi:efepfn:my 1818f:arJat;,:p Hf1VOIV!i1g IJaS. person Jnformaiicnr three atftJftiona/ c()lntrols should be pat In place~ Spec!f'icl!Klfy, Agency management $hould:

or

.l"l

(1)

design procedmws m prfJJvide a l:igher level of assuranc6f that J'Jlfjf'i.,compliant data will not be collected and, If inadverten!'iy colledr:Jd, will be swlft{J'f expunged tmd not made avaff&tbfe ?or analysis;*

(2)

sept"Jrate:J the autfNJr!ty tD> c;pprowa metadats &7ueries f'rom the


capability m conduct querfeiw o'Jf metadata uooer thfll O.fer.

'.

1 zv)P s"~ ,,E'f'/'/C"OMFT'T" t .: .... kl.CJ'.'\.'!.. ' L1v J.

..

/ORCONNOfVJ.?N//MR

1846 & 1862 PRODUCTION 5 MARCH 2009

-94-

TOP SECRET//COM.I.NT

/OR.CON,NOF'ORN//MR ST-06-0018

(3)

conduct periodic reconciliation ofapproved telephone


m.ombers with the logs ofqueried numbers to verffjl that only authorized que1'ies have been made under tle Order.

(U) Criteria

trS/ /SI/ -/OC,NF) The Order. The Order authorizes NSA to coJJect and retain te1eph011y meta.data tn protect against international terrorism and to rocess and disseminate th.is data regarding. the United States. To protect U.S. prlvacy rights, the Order states specific terms and restrictions regardmg the callee.ti.on, processing, retention, 1 dissemination, data security, and oversight of telephony metadata and U.S. person information obtained under the Order. To ensure compliance with these terms and restrictions, the Order also mandates Agency management to implement a series of procedures to control the access to and use of the archived data collected :pursuant to the Order. These control procedutes are clearly stated in the Order. Appendix B includes a summary of the key terms of the Order and the related mandated control procedures.
[U) Standards of Internal Control. Internal coniml, or management control, comprises the plans, methods, and procedures used to meet missions, goals, and objectives. It proVides reasonable assurance that an entity :Is effective and efficient in its operations, reliable in its reporting, and compliant with applicable laws and regulations. The General Accounting Office's Standards for Internal Control in the Federal Governmen~ November 1999 (the Standards), presents the sta.ndarda that define the minimum level of quality acceptable for management control in govemment. NSA/CSS Polley' 7~3, Internal, Control Program, advises th.at evaluations of internal control should consider the requirements outlined by the Standards. The OIG uses the Standards as the ba.sis against which management control is evaluated.

(TS/ /SI/ /Nf) Documented Procedures are Needed to Govern the CoJleci:h::m of TeJephony Metadata
(TS/ /SI/ /NF) Control procedures for collecting telephony metada~ under the Order were not fonnally designed and are not clearly docmnented. .AB a result. management controls do not' provide reasonable assurance that NSA will comply witb. the follo\:\7illg terms of the Order:

(TS//SI) We did not assess the controls over retention at this 'time as the Order allows data to be retained for

five years.

TO <i'l:i'('_.1'(1,, :1, r;-rr'(r/l" :'()Jl,-1' n .. _. ia ,_4; . :u1v.,


1

rr
2

ON.00.N,NOPOlW//MR

TOP SECRET'//COM1N1

/OR.CON ,NOFURN//MF . ST-06-0018

NSA may obtain telephony metadata, which includes comprehensive communications, routing information., lnC'luding but not J.fm1ted to session identifying :Information. trunk identifier, and time and duration of a call..Telephony metadata does not include the substantive content ofany communications. or the name, address, or financial infonnatlon of a subscriber or customer.

(TS/ /SI/ /NF) As required by the Order, OGC plans to examine periodically a sample of call detail records to ensure NSA. is receiving only data authorized by the court. [I11is is tile only control procedure related ta collection that is mandated by the Order.) .Although this will detect unauthorized data that has been loaded .. into the archived database, the.re should also be controls in place to prevent un.autho~ed data from bem.g load~d into the database. In addition, good h1.teinal control practices require that documentation of internal control appear in management dhectives, a.dmirrtstratlve policies, or operating manuals. At a min1m.um, procedures should be established to:
m m

monitor incoming data on a regular basis, upon discove1y of unauthorized data. suppress unauth01ized data, from analysts' view, and eliminate unautllmiZed data from the :Incoming data stream.

01

(TS/ /SI/ /NF) With fuese proposed control procedmcs in place, the iis 1at Agency personnel will mistakenly collect iypes of data that are not authorized under the Order will be minimized. Although the primary and secondazy orders prohibit the providers from passh1g specific types of data to NSA, mi9takes are possible. For example, in responrnng to our request for :information, .Agency management disc.overed that NSA was obtaining two zypes of data that may have been in violation of the Order: a 16-dig!.t credit card number and name/partial name in the record of Operator-assisted calls. {It should be noted tlmt tl1e name/partial name was not the name of fue subscriber from the provider's records; rather, a telephone operatnr entered name at the time of an Operator~assisted call.) (TS/ /SI/ NF) In the case of the credit card number, OGC advised that, in its opinion, collecting this data is not what the Court sought to prohibit h1. the Order; but recommended that it stiIJ. be suppressed on th~ incoming data flow Jf not needed fo1 contact chaining purposes. In the case of the name or partial name, OGC advised tlmt, while not what it believed the Court was concerned about when it issued the Order, collectlng ibis :hnormation was not in keeping with. the Order's specific terms and that it should also be suppressed from the incoming .dafa flow. OGC indicated tha.t it will. report these issues to the Court when it seeks renewBl of the authorization. Agency management noted fuat these data. types were

'.fC)PSECRET(/COMJNT-/ORCON,.lWJPD.fiN//lt1R
3

1846 & 1862 PRODUCTION 5 MARCH 2009

-96-

.....

:--:;--:::.

TOP Sh'Cl~E1'//CUMlN'.I"

'/ORCON,NOFORN//MR ST-06-0018

blocked from the analysts' view. Management also stated that it will take immediate steps to suppress the data from the Incoming data flow. These steps should be completed by July 31, 2006.

Recommendation 1
(TS//SI) Design and document procedures to provide a higher level of assurance that non-compliant data wm not be collected and1 If inadvertently collected, will be swiftly exp1..mged and not made available for analysis. (ACTION:

Chief,l~-------

(U) Management Response

CONCUR. (TS/ /SI/1 Management concurred with the finding and recommendation and has already partially :implemented the recommended procedures. to block the questionable data from the providers' incoming data:llow. A final system upgrade to block the questionable data'from one remaining provider is scheduled for 8 September 2006. Testing is currently ongoing.
Status: OPEN

VNFl

Target Completion Date: 8 September 2006


(U) OJG Comment
(U)

Plaimed action meets the intent of the recommendation.

(TS/ /SI/ /NF) Additional Controls are Needed to Govern the Processing of Telephony Metadaita
(TS/ /SI/ /NF) Agency management designed, and in so.ine ways exceeded, tl1e selies of control procedures over the processing of telephony meta.data ~hat were mandated by the Order; however, th.ere are currently no means to prevent an individual who is authmized access the telephony metadata from querying, either by ~1ror or intent, a telephone number that is not compliant 'With the 01:der. Therefore, additional controls are needed to reduce the rtsk of unauthoriZed processing.

(TS/ /SI/ /OC,NFJ Processing refers to the querying, search, and analysis of telephony metadata. To protect the privacy of U.S. persons, the Order restrlcts the telephone numbers that may be queried:

TOP SECRET/JCOMliVT

/OR(!ON,1VOFOR1.:J'//M.R

1846 & 1862 PRODUCTl.ON 5 MARCH 2009

-97-

TOP SECRET//COMJNT

/OR.CON,NO.l-''OR.lV//MR
ST-06-0018

A telephone number believed to be used. . . . ..... _ ated with solely on :i.e as s o .,. ii :t 11 _-.- ii ..:.I - lilt !he Flrst .Amendment to the . Constii.u.tlon.

.. --. . .

(TS/ /SI/ /NF) Agency management designed the series of control procedures over the processing of telephony metadata that were mandated by the Order. In a short amount of tlme, Agency management moclifled existing systems and destgued new processes

to:
11

document justiftcatlons for q_uery1ng a. particular telephone number, obtam and document OGC and other authorized approvals to query a particular telephone number, and

ii

(\

maintain automatic audit logs of all queries of the telephony meta.data.

ffS/ /SI/ /NFJ These controls are adequate to provide reasonable assurance thatjusti:ftcationBare sonnd, approvals are gi\ren and documented, and that there .ia a record of all que:1ies made. .Agency management even exceeded the in~ent of the Order by fully. documenting"the newly developed process.es in Standard Operating Procedures and by developlng enhanced logging capability that will, once completed, generate additional reports that are more usable for amlit purposes.
(TS/ /SI//NF) Two 8..dditlonal control procedures are needed to provide reasonable assurance that onJy telephone numbers that meet the terms of the Order :;ire quelied.

(TSUSlllNF) TheJ autl1orlty to approvf.:/I metadata qu~rfes should be segre.gated from the capability to conduct meriiadBta queries. (TS I /SI/ /NF) 1he Chief and Depuiy Chief of the Advanced Analysis
i.
DMsio,p (AAD) and five Shift Coordinators~ each have both the authmtl.y to approve the quel'ying of telephone lll.l.mbers Ullder the Order and the capabJlity to conduct quertes. The Standarqs of
2(TS//SI//NF) The Order grsnJs approval authority ~o seven individuals: the SID Program Manager for CT Special Project:;, tl1e Chief mid Deputy Chief of the AAD, and four Shift CoordinatDrs in A/ill, InpractLce, Agency management transfor:red the airthority of the SID Program Manage1 for CT Special Pl'ojects to one additional Shift Coordinator. Approval authority therefore remains limit.ed to seven individuals as intended by the Order.

TOP 8ECRET//CO.MJ:N'1

/ ORC01\J)\fOFORJ.l/~1MF.

1846 & 1862 PRODUCTION 5 MARCH 2009

-98-

TOP .SECRlff//CO.MINT

/ORCON,NOFORN/ /MR
ST~06-0018

Internal Control in the Federal Government requtre that key duties


and respo1J.Sibllities be divided among different people to reduce the

risk of error or fraud. ln particular, responslbllitles for authorizing transactions should be separate from processing and recording them. 'I1:Us lack of segregation of duties increases the risk that Shift Coordinators and the Chief and Deputy Chief of .A.AD 'Will approve and query, either by eiror or :intent, telephone numbers that do not meet the terms of the Order.

{TS/ISi) Separate the authority to approve metada.ta queries from the capability to conduct queries of metadata under the Order. (ACTION: Chief, Advanced Analysis Division)

{U) llllanagement Response

CONCUR. [TS/ /SI/ ~NF) Manag~ent concu,rred w:ith the finding but stated that it.could not implement the recommendation because of constraints in manpower and analytic expertise. As an alternative, management recommended that SID ~ersight & CompliaIJ,ce (O&C) routinely review the audit logs of the Chief and Depuiy Chief of the Advanced Analysis Division and Shift Coordinators to verJ.fy that their queries comply with the Order. nrts alternative would be developed in conjunction with actions taken to address Recommendation 3 and is contingent on the approval of a pending request to SID management to detail two computer programmers to the team. Management is also negotiating Viiith O&C to accept the responsibility for conducting the recommended reconciliations.
Status: OPEN

Target Completion Date: 28 February 2007

(U) OIG Cr.mff'u.mt


(1S/ /SI/~ /NF) Although not ideal, management's alternative recommendation to monitor audit logs to detect errors 'Will, at a minimum, mitigate fue risk of querying telephone numbers that do not meet the temIB of the Order. Therefore, given the existing manpower cons'b.'a:!nts, management's suggested alternative recommendation meets the 'intent of the recommendation.

<'Ci'('U7i.J'1'1jtY)jitlfN'J' 1Y}P/ \-F' J.),!...1,..i:\..C I 1,rl.'fl-

/ORCON;NO.FORNI;Mr~
6

1846 & 1862 PRODUCTION 5 MARCH 2009

-99-

TOP 8EC.RR'l}/COM.JNT

'/OR CON ,NOFORN//MR ST-06-0018

(1S!IS!llNF) Audit fogs should be ro.utffnely reconclfGid to the recol'ds of


telephone numbers approved for querying.
(TS// SI/ /NF) Manageme.nt controls are 11ot .in place to verify fuat those telephone numbers approved for querying pursuant to the Order are the only numbers queried. AJ.fuough audit logs document all queries of tlle archived metadata as mandated by the Order, the logs are not currently generated in a usable format, and Agency management does not routinely use those logs to andi.t the telephon,e numbers querted. The Standards of Tntem.al Control in. the Federal Govemment recommends ongoing reconciliations to ''make management aware of inaccuracl.e.'3 or exceptions that could inili.cate internal control problems." Tue lack of routine reconciliation procedures mcreases the r:L.,;k that elTors will go undetected .

'

.. .~ecommen~atfi~n.3.-:.:_:_-. :.::. '. " . .. . .


quer~es

(TS//SU) Conduct perlof;ffc rec.oncmation of approved telephone numbers with

the ~ogs of queried numbers to verify that only authorized made 1.mde!' the Order.

have been

(ACTION: SO Spe.eial !Program Managew for CT SpecJal Projects)

(U) Management Response


CONCUR. (TS/ /SI/..-..NF) Management concurred with the :finding and recmmnendation and presented a plan to develop the necess81Y.tools and procedures to implement ib.e recommendation. However, management stated that completion of the planned actions is contingent on the approval of a pending request to SID management to detail two computer programm.ers to the team. Management is also negotlatlng with O&C to accept the respoDBibiliiy for conducting the reconnnended reconcillaiions.
Status: OPEN Target Completion Date: 28 February 2007

(fJ) DIG Comment


(U) Plaim.ed action meets tl1e intent of the recommendati.on. However, should SID management not grant the request for . additional computer programmers or O&.C not accept responsibility for conducting the reconciliations, management must promptly .infon11the OIG and present an alternative plan,

TOP SECr?ET//COAilNT

'/ORCON.NOFORN//lliR
7

1846 & 1862 PRODUCTION 5 MARCH 2009 -100-

ORCON,NOFORN//MR ST-06-0018

(TS!ISil!NF) At the time of our review) there was no policy in place to perlodically revieiti/te/ephone numbers approved for querying under the Order to ensure that the telephone numbers still met the criteria. of the Order. Although t/1e Order is silent on the length of time a telephone number may be queried once approved, due diligence requires that Agency management Issue a pollcy decision 011 tl1/s matter and develop procedures to execute the decision.

(TS/ISi/iNF) Management Controls Governing the Dissemination of U.S. Person Information are Adequate
(TS/ /SI/ /NF) Agency management implemented the series of control procedures governing the dis~em.inatton of U.S. person information mandated by the Order. O&C designs and implements controls to ensure USSID SP0018 compliance across the Agency, to include obtaining the approval of the Chief of Information Sharing Serv.jces and maintaining records of dissem.lnation approvals, as required by the Order.' No additional procedures are needed to meet the :intent of the Order. Furthermore, these procedures are adequate to provide reasonable assurance ihat the following terms of the Order. are met:
Dissemination of U.S. person information shall follow the standard NSA m.inirnization procedures found in the Attorney General-approved guidelines (USSID 18),

(TS/ISi/iNF) Management Controls Governing Data Security are


Adequate
(TS// SI/ /NB} Agency management implemented the selies of control procedures governing the data security of U.S. person information as mandated by the Order, such as the use of user IDs and passwords.. Agency management exceeded the teims of the Order by maintaining additional confrol procedures that provide an even higher level of assurai1.ce that access to telephony metadata will be limited to authorized analysts. Most of these controls had been Jn place prior to and aside from the issuance of the Order. Only the requirement that OGC periodically monitor individuals with access to the archive was designed in response to the Order. Combined, these procedures are adequate to provide reasonable assurance that Agency management complies with the following terms of the Order:
DIRNSA shall establish mandato1y procedures strtctly to . control access to and use of the archived metadata collected pursuant to this Order.

'J'OP 8ECR'ET//COM.fNT

/ORCON,NOFORN"//MR

1846 & 1862 PRODUCTION 5 MARCH 2009 -101-

...............

TOP 81CRET//CO.M INT

/ORCON..L\!0 FORN//l\:W ST~o6MD018

(TS/ /SI/ /NF} Additionally, O&C plans to reconcile the list of approved analysts with a list of author.lzed users to ensure only approved analysts have ac,eess to the metadata.

(TS/ISi/iNF) Jl/lanageinent. Controls Governing the Oversight of Activities Conducted Pursuant to the Order t!llf!J Adequate
(TS/ /SI/ /NFj As mandated by the Order, Agency management
designed plans to provide general oversl.ght of activities conducted

pursuant to fue Order. The Order states that,


'Ihe N8A Inspector General, the NSA General Counsel, and the Signals lntelligence Directorate Oversight and Compllance Office shall periodically review- this. program.

(TS/ /SI/ ~OC,NF) Specifically, Agency mapagenient designed . the following plans that are adequate to ensure compliance with the Order.
Q>

ITS I/ SI/ /NF) The OGC will report on the operations of the program for each renewal of the Order.

<i>

ITS! /Sr/ /NF} O&C plans to conduct pertodic audits of


the queries.

pon issuance o the

r er, - e au was pu on hold to complete the cornt-ordered report. OIG will modify the audit plan to include tlle new requirernents of the Order. Once sufftctent operations have _occurred under the Order to allow for a full range of compliance and/or substantive testing, the audit will proceed.

--

TOP SECRET//COJJ.JINT

/ORCUN ,NOFORN//llfR

1846 & 1862 PRODUCTION 5 MARCH 2009 -102-

'fOP 8ECl?.ET//COMlNf

IOf?.CON,NOF'ORN/!J\IIR
ST~06-0018

(TS/ /SI//NF) The activities conducted under the Order are extremely sensitive given the iisk of encountering. U.S.. person information. The Agency must take tbis responsibility seriously and show good faifu in its execution. Much of the foundation for a strong control system is set up by the Order itself, in the form of mandated control procedures. In many ways, Agency management has made the controls even stronger. Our recommendations will address conb:ol wealmesses not covered by the Order or Agency management and will meet Federal standards for intemal control. Once the noted weaknesses are addressed, and additional controls are :Implemented, the management control system will provide reasonable assmance that the terms of the Order will not be violated.

TOP S.ECil.ET//COMfNT

/O.RCON,NOFORNJ/l\fR

1846 & 1862 PRODUCTION 5 MARCH 2009 -103i

...

.~

.... :'

l; -.

TO J.-' SECRET//COMil'ilT-

/ORCON,NOFOPJ\T//.MK ST-06-0018

. TOP 8ECRE1//CONrJN'1
11

/OR.CON 1'JOFORA~!/JlfN.

1846 & 1862 PRODUCTION 5 MARCH 2009 -104-

'

.. :

........

~ _ . . . : . - , - ,. . . . . . .

-"

M .... ,

... , _ .

.~

'.

''l'()U ~.#.

L'lh''V ~}Q\,1.\ .. J;,r

T.i"1'1/('()MJN'1' I
.1 ,

/ORCON~NOH..JBN//MR

ST-060018

This page intentionally left blank

I1

11 F1-1'7 ~.'li'CR 1<~1'/.I 'C0LY.!...J.'ti. .. 1 t.J.f.., ..1.\.!'"'. 1'()1

/ORCON:NO.F'ORN//MR.
12

1846 & 1862 PRODUCTION 5 MARCH 2009

~105~

TOP 8BCRE'J.~l/CO.M1NT . .

/Ol?COJ1..1,NOFORN//MR
ST-06-0018

{U) ABOUT 1~1wH5 AUDIT

(TS//SI) The overall objective of this review was to determine whether management controls 1'1i.1ill provide reasonable assurance that Agency management complies with the terms of the Order. Specific objectives were to: " verify that Agency management has designed the conU-ol procedures mandated by the Order. assess the adequacy of all management controls :in accordance "Mth tl1e Standards ofInternal Con:troi in the Federal Gouemrnen:J:.

(U / /FOUO) The audit was eon.ducted from May 24, 2006 to July 8, 2006.

CU/ /FOUOJ We :Interviewed Agency personnel and reviewed


documentation to satiszy the review objectives.

(TS/ /SI} We did not conduct a full range of compliance and/ or substantive testing that would allow us to draw conclusions on the efficacy of management controls. Our assessment was limited to the overall adequacy of management controls, as directed by the Order.
(TS/ /SI) As footnoted, w-e did not assess controls related to retention of telephony meta.data pursuant to the Order. A'3 the Order autho1izes NSA to retain data for up to five years, such. controls would not be applicable at this time.

tile

TOP SECRET/(CO:lkfLN'I~/ORCON,NDFORJ\7//MR

'

13

1846 & 1862 PRODUCTION 5 MARCH 2009 -106+

TOP SECRh"l'//COMlN

/ORCON,NOF'O.RN/I MR ST-06-0018

This page intentionally left blank

--
TOP 8X:CCRB'I'//(XJM fNLl
14
1

/0RCON,NOFO.RN//MR

1846 & 1862 PRODUCTION 5 MARCH 2009 -107-

'

:~-.::.. ..:.;:

!-

.-.

TOP 8FCFUi'J'//CO.ll-1JNT

ORCON,NOFO.RN/,!JJ. JR
1

ST-06~0018

(U/!fOUO) Telephony Business Records FISC Order"' Mandated Terms and Control Procedures

f']!i'(,'P i:;.'']'lj('0'11-tl'll.7TTOP ~.) ,,,,..r:\J::... I .i :..L t'J.. J. -.


.ri
..J

iQRCON,1VOHJRN//JV!R

15

1846 & 1862 PRODUCTION 5 MARCH 2D09 -108-

-:r."'\\"'

TOP SEC.NET//COMINT

''/ORCXJN,NOFORN//MP: ST-06-0018

This page intentionally left blank

'1" I "l;I S1.l nR >:i."f' 1/('0.tY..l. n lrJN'J' 'll._J.."l . . :1l~.1~./,


.I'

/O.RCON,NOFORN//MR
16

1846 & 1862 PRODUCTION 5 MARCH 2009 -109-

; I
O

TOP. SECRETi/COrvUNT

........ ........
.I

.JRCON,NOPORN//l'vffi

ST-06-00lB

Cl)

(U} Business Records FISC Order


(U) Mandated Terms and Control Procedures
(TS//SI//NF)

0 0 .N

Control Area
Collection of Metad.ata

Terms of the Order


NSA may obtain telephony metadata, which includes comprehensive commnni.cations routing mfonnation, including but. not limited to session identifying information (e.g., originating' and terminating telephone number, commrurications device identifier, etc.), trunk identifier, itn.d time and duration of call. Telephony metadata does not include the substairtive content of any comm:unication, as define.ii. by 18 USC 2510(8) or the name, address, or financial information of a . Subscriber or ~ustomer (pg. 2, para 2).

Responsible Entity

Cont:rroI Pirocedur-es
At least twice every 90 days, OGC shall conduct random spot checks, consisting of an ~xami.nation of a sample of call detail records obtained, to ensure that NSA is receiving only data as authorized by the Court and not receiving the subst..antive ,. content of the communications (pg. 10, para (4)J). 'i

OGC

I
.!.D

'<::!"
.

00

.,....

TOP SECREFtCOJ\.ifNT
17

0Rf"ON.N0FORN 1:]\.-fR

ST-06-0018

(TS!/SI//NF)
Control Area
Processing (Search& Analysis, or Querying of Archived Metadata)

Terms of the Order


Although data collected under this order will be broad, the use of that information for analysis shall be strictly tailored to identifying terrorist communications and shall occur solely according to the procedures described in the application (pg. 6, para (4)D)Any search or analysis of the data archive shall occur only after a particular lcn~~ne I II b ha b "td -~ I g. 5, para (4)A).

Responsible Entity
OGC

Control Procedures
OGC shall review and approve proposed queries of ~chived metadata based on seed account numbers reasonably believed to be used by U.S. persons .(pg. 6, para (4)C).

PM, Chief or D/Chiefof A.AD, Shift Coordinators

Queries of archived data must be approved by one of seven persons: SID PM for CT Special Projects, the Chief or Deputy Chief, Counterterrorism Advanced Analysis Division. or one of the four specially authorized CT Advanced Analysis Shift Coordinators in the Analvs is and Production Directorate of SID (pg. 7, para (4)D). .
SID PM for CT Special Projects; Cmef and Deputy Chief, CT 'Advanced Analysis Division., and CT Advanced Analysis Shift Coordinators shall establish appropriate management controls (e.g., records of all tasking decisions, audit and review procedures) for access to the archived data (pg. 8, para (4)G) .

PM; Chief&
D!Chiefof AAD, &Shift Coordinators

.......
en
-0 0

00

AAD Analysts

"'
;:o 0

para (4)A);

c
0

..

A telephone number believed to be used


by a U.S. person shall not be re axded as associated with

a nd Technical Support

-I
0

Maintain a record ofjmtffications because at least every ninety days, the Department of Justice shall review a sample of NS A's
justifications for querying the archived data (pg. 8, para (4)E). When the metadata archive is accessed, the user s login, IP address, date and time, and retrieyal request shall be automatically logged for auditing capability (pg. 6, para (4)C). OGC will monitor the :funr:tioning of this automatic logging ca~ability (pg. 6, para (4)C).
.Analysts shall be briefed by OGC conceming the authorization. granted by this Order and the limited circUIDStances in which queries to the archive are permitted, as well as other procedures and restrictions regarding the retrieval, storage, and dissemillation of the archived data (pg. 6, para (4)G).

OGC
DIRNSA shall establish mandatoq procedures strictly to control access to and use of the archived

OGC

N Cl Cl
CD

data collected pursuant to this Order (pg. 5, para (4)A).

....... ....... .......

11

TOP SECR ET.'COM1?..;T':NOFORN/f~0310404


I.._.,
1')

TOP SECRETi/COMfNT

'QRCON,1'10FORN I/MR

ST~06-0018

(TS//SV!NF)
Control

Terms of the Order


Dissemination of U.S. person information shall follow the standard NSA minimiz:::i.tion procedures found in the Attorney General-approved guidelines (USSID 18) (pgs. 6-7, para (4)D) &pg. 8, para (4)G).

Responsible

Control Procedures
Prior to the dissemination of any U.S. person identifying information, the Chief of Information Sharing Services in SID must determine that the information identifying the U.S. person is in fact related to Counterterrorism iDformation and that it is necessary to undersr.and the Counterterrorism information or assess its importance (pg. 7, para (4)D). A .record shall be made of ff'"very such determination (pg. 7, para (4)D).

Area
U.S. Person I of Information Dissemination

Entity
Chief of
Information Sharing Scrv:ices in SID

Metadata Retention

Metadal:a collected under this Order may be kept online {that is,. accessible for queries by cleared analysts) for five years, at which time it shall be destroyed (pg. 8, para (4)F). (TS//SI//NF) DlRNSA shall establish mandatory procedures strictly to control access to and use of the archived data collected pursuant to this Order (pg. 5, para (4)1\).

Ill!
Support

None

Dfta Secm:ity
00
0)

1:

:::0
0

-u
0

The metadata shall be stored and processed on a secure private network that NSA exclusively will operate (pg. 5, para (4)B). Access to the metadata archive shall be ;i.ccomplished throug..h a software :interface that will limit access to this data to authorized analysts controlled by user name ~d password (pg. 5, para (4)C).

Support

c:
(")

OGC Oversight The IG, GC, and the SID Oversight and Compliance Office shall periodicallyrev;ewtbis program (pg. 8, para (4):8) ..

-I
0

OGC shall monitor_ the designation of i.p.dividuals with access to the archive (pgs. 5-6, para (4)C).

z:

01

:s:: )>
:::0
(")

. IG, GC. and SID Oversight aud Compliance Office DffiNSA

Tn.e IG and GC shall submit a report to DIRNSA 45 days after


the initiation of the activity assessing the adequacy of the IIIBD.agement controls for the processing and dissemination of U.S. person information (pg. 8i para (4)H). DIRNSA shall provide the findings of that report to the Attorney General (pg. 9, para (4)H),
I

:c
N 0
0

w
11

TOP SECRETliCOMil'ff

ORCON,NOFORN //l'v1R

TOP BECR E'r'//COM1N1'

0RCON,NOFOR.N//Ml? ST-06-0018

'

Tbis page intentionally left blank

'/''")"> n~r,1~"7'PI t. J L~.b, ' \'l:J,J. f / 'C(Ji''ffNl"T' , , .lY.c . I J.

ORCON,NOFORIV//MR

1846 & 1862 PRODUCTION 5 MARCH 2009 -113-

.1..-;of

... -

'

.. ,..

'

'!.

..

.."":--

.~

....

TOP 8BCN BT//COJ1if1NT

/ORCON,NOPORN//MR
ST-06~0018

-- .

'1846 & 1862 PRODUCTION 5 MARCH 2009 -114-

........

TOP SECRKCI/COM.IN'!

/ORCON,NOFORN//MR.
ST-06-0018

This page :intentionally left blank

--,..

--

TOP SECR.B'l '//CO.I\!Jll>.n


22

'/OR.CO N,NO FORN/ /1\!IR

1846 & 1862 PRODUCTION. 5 MARCH 2009 -115-

~.

'.

TOP SECRET//COMJNT

'NOFORN//~0301115

PROGRAJVlf JVf.ElVIORANDUI\11
PM-031-06 Reissued 29 Aug2006'

To;

Office of the Inspector Genera

SUBJECT: (TS//SI//NF) PMO Response to IG-10681-06, Subject Dra:ft.Repott on the Assessment of Management Controls for impleme1iting the FISA Cowt Order: Telephony Business Recorde (ST-06-0018)

1. (U//FOUO) The SIGil'IT Directorate Program Of-ffoe appreciates and welcomes the Inspector General Office ts review of program operations as required by the subject court order. The Program Office offers the following response.

2. (TS//SI//NF) This repo1tpresents three findings/recommendations. Findtng one pertains to procedures to provide a higher level of assurance that non-compliant data will not be collected and, if inadvertently collected, will be swiftly expunged and not m\}de available for analysis. Finding two pertains to the goal to separate the authority to approve meta.data queries from the capability to conduct queries. Finding three pe1tains to the requirement to conduct periodic reconciliation of approved telephone numbers with the logs of queried mnnbers to vel'ify that only authorized queries have b'een made.
3. (TS//SI!] f1NF) With respect to Finding One, the Program Office aclmowledges that the item is factually correct and concurs with the assessment with comment. It should be noted that internal management controls,.lmown as sofu~rnre rules that are part of t h e - database, do prevent the data in question from ever being loaded into the operation~ contact chaining databases. Still, the data in question did exist in the da.taflow and should: be suppressed on the provider-end as the OIG recommends.

a cT'S//SvA INF) C01TectiveActions: Although already partially implemented among the providers, the final system upgrade necessary to block the data in question :from one provider 011 the incoming dataflow is scheduled to be in place by 8 September 2006. Testing continues at this time.
4, (TS//SJ//NF) Finding Two recommends two additional controls. With respect to the first, "Tile authority to approve metadata queries should be segregated from the capability
to conduct metadata q'ueries 11 , th~ Program Office agrees the assessment has merit, but cannot implement the required corrective actions. fu theory, the OIG recommendation is som1d and conforms fully to the standards of internal control in the Federal Government. In practical tem1s, it is not something.that can be easily implemented given the Deiived From: NSNCSSM 1-52 Dated: 20041123 D~cfo.ssify On: 2030 J 115 /NGFORN!/20301115

TOP SECRETllCOMINTI

1846 & 1862 PRODUCTION 5 MARCH 2009 -116-

~: ~~

...... .
'

T.OP SECRET//COMINT/

/NOFORN//20301115

risk/benefit tradeoff and real world constraints. Manpower ceilings ru1d available analytic . cxpe.rtise are the two most significant limiting factors.

5. (TS//Sil/NF) The Advanced Analysis Division (S2IS) is comprised of personnel of varying grades and ex.pe1ience levels. Giventhe requirements of the court order, the Shift.
Coordinators are required to be the most experienced intelligence analysts, have the most training and consequently hold the most senior grade Jevels. They therefore are given the authority to ap-rove data queries, and because of their status can also execute queries. Removing this dimension of their authorities would severely limit the versatility of the most experienced operations personnel. Also, as their title implies, they are also the most senior personnel present d1u:h1g each operational shift and in effect control the ops tempo on the operations floor. Replicating that senior structure to accommodate the OIG reconunendation is not possible given. current mam1ing authorizations and ops tempo.

a. (TS(/SI//NF) However, there are checks and ba] ances already in place to help mitigate the nsks cited. For example, the Shift Coordinators.routinely approve queries into the database based on selectors meeting a reasonable articulable suspicion standard IAW with NSA OGC w1itten guidelines and verbal briefings. Any queries initiated from probable U.S. sclectol's must be individually approved by the OGC. In this way, the risk of error or fraud associated with the requirements of the court order is acceptably mitigated within available manning and analytic talent constraints.

b. (TS(/SJ}INF) Con-ective Actions: Corrective actions cannot be implemented significantly increasing manning levels of senior, ltlghly skilled analysts. In our view, the benefit gained will not justify the manpower increase required. However. it maybe pqssibie to impleme?nt additional checks and audits on the query approval process. AB recommended in the response to Finding Three below, Oversight and Compliance could, if they accept an expanded role, use (yettO be developed) new
~thout

automated software tools to regularly review the audit logs of all shift coordinators. With
software changes to the audit logs it would be possible to ~asily compare numbers approved and their accompanyingjusfrfications against numbers cha:h1ed. In this way, it

would be possible to review the shift coGrdinator's actions against the standards

established by the court T11e Program Office recommends that this co1rective action be
pursued as pa.it of the long tenn goal discussed below. 6. (TS//SI//NF) Find:ing Three reads "conduct pe-.riodic recoi.1ciliation of approved telephone numbers with the logs of queried numbers to verify that only authorized. qu.eries have been J11ade UIJder tl1e order". The Program Office agrees with this assessme11t However, competing priorities for the software programming talent necessary to implement i.m.provements to the audit logs, as well as t.o perform the pro grammiug necessary to create automated rec.anciliation reports, require that this issue: be addressed as a lon.g tenn goal. a. (TS//SV/NF) If SID management approves a pending Program Office request to detail two oomputerprogrammers to the team for six-to-nine month rotations, suitable procedures and.software tools could be implemented. Also, the Program Office has approached the office of Oversight and Compliance about accepting the responsibility of conducting the recommended audits. That negotiation is ongoing:

TOP SECRET//COMJNT/

- FORN//20301115

1846 & 1862 PRODUCTION 5 MARCH 2009

-111~

TOP SEl:RET//COMINT/~OFORN//20301J15 b. (TSl/Sll/NF) Corrective Action: Acceptable tools and procedures can be developed within six mond1s if the required manpower is allocated. Assum.mg the Program team 1s request is granted, this initiative can be completed by 28 Febmary 2007. The con-ective action will include: 1. (U//FOUO) Improvements to the audit logs to make them more user fri.endly 2. (U//FOUO) Reports that provide a useable audit trail from requester, to approver, to any resulting reports. These rBJ)Orts will be used to automatically identify any cliscrepan.cies in the query process (i.e. queries made, but not approved). 3. (U//FOUO) Complete the negoliations with SID Oversight & Compliance 7.
(Uf/FOUO) Please contact me if you have additional questions.

SID Program Manager CT Special Prograins

TOP SECRETl!COMINT

FORN/1203011 LS

1846 & 1862 PRODUCTION 5 MARCH 2009 -118-

IT'S EVERYBODY'S BUSINESS -

. TO REPORT SUSPECTED INSTANCES OF FRAUD, WASTE, AND lvITSMANAGEMENT, CALL OR VISIT THE NSA/CSS IO DUTY OFFICER ON 963-5023s I1'T OPS2A/ROOM 2A.0930

IF YOU WISH TO CONTACT THE OIG BY MAIL, ADDRESS CORRESPONDENCE TO: DEPARTMENT OF DEFENSE NATIONAL SECURJTY AGENCY/ CENTRAL SECURITY SERVICE ATT: INSPECTOR GENERAL 9800 SAVAGE ROAD, STE 6247 FT. MEADE, I\ID 20755-6247

1846 & 1862 PRODUCTION 5 MARCH 2009 -119-

1846 & 1862 PRODUCTION 5 MARCH 2009 -120-

1846 & 1862 PRODUCTION 5 MARCH 2009 -121-

J.P SEC.RETl!COA'fTf'lTl/NOFOI'u-\J-. /ti{

OFFICE OF THE INSPECTOR .GENERAL


NATION.AL SECURITY AGENCY CENTRAL SECURITY SERVICE
10 July 20.06 IG-10667-06

TO:

DIRECTOR. NSA .

SUBJECT: {TS/ /SI/ /NF) FISA Court Order: Telephony. Business Records (ST-06-0018)
1. (TS/ /SI/ /NF) Background and Objective. The Order of the ~oreign . Intelligence Surveillance Court issued 24 May 2006 in In Re Application of the FBI etc., No. BR-06-05 {Telephony Business Records) states that "[t]he ln$pector . , General and the General (:ounsel shall submit a report.to the Director of NSA 45 . days after the initiation of the activity [permitted by the Qrder] assessing the . adequacy of the managem~t controls for the pi:ocessing ;,md. disserrcinati.on of .: U.S. person information.'' 'This is that report. The Order further states that . . "[t]he. :Director of NSA shall provide thE;? findings of that report to the Attorney General." Order at 8-9. The Order sets no deadline for transm.Lssion of the. findings to the Attorney Gener.al.

. ':

. 2. (TS/ /SI/ /NF) .Finding. The management controls designed by the . Agency to govern the processing, diss.emination, security, and.oversight of telephony metadata and U.S .. person information obtained under the Order are adequate and in several aspects exceed the tenns of the Order. However, due to the risk associated vvith the collection and proces.sing of telephony metadata . '. involving U.S. person information, 'f:0ree additionai controls should be put iJ:l . : .. place. Specifically; Agency management should (1) design pros:eduref:i to. :. : ; .. provide a higher level of assurance that non-compliant data will not be collected . . ": and, if inadvertently collected, -willbe swiftly expunged and not made available .. for analysis; (2) separate the authority to approve metadata queries from th~ capability to conduct queries of metadata under the Order; and (3) cond:Uct .. . periodic reconciliation of approved telephone numbers to the logs of queried . numbers to verify that only authorized queries have l;>een made under the Order. ,
= "

'

D.erh:;ed Fron1.; N'SAICS5t\l11~52..


Dated: 20041123
Decfr:rss~hf

On: MR

. .

TOP SECRET/ IC OJ\11.f'ffl lr'\IOJ'O RN/ I l\.'IR

1846 & 1862 PRODUCTION 5 MARCH 2009 -122-

Td.

_jCRET!JCOT\!I1NTl!NOFORN//N.f;, ,

-23. (TS/ /SI) Further Review. The Inspector General will make formal recommendations to the Director, NSA/CSS, in a separate report regar~g the design and implementation of the additional controls. 4. (U I /FOUO) We appreciate the courtesy and cooperation extended : throughout our review to the auditors .from the Office of the Inspector General: . and the attorneys from the Office of the General Counsel who consulted with them. If you need clarification or additional information please c o n t a c t - o n 9.63-1421(s) or via e-mail at . . . . .

...

. .
'

':

. .

..

Inspector. Gene~al

:'

.
'

: .....

(U I /FOUO) I endorse the conclusion that the management controls for th~
proce~sing and dissem.D;l~tio~

of U.S. F'.erson ~ormation are a4equ~te.


.... .

.
' I

':

... . ~

. .
' : '

'
'

.:. .::'
."

..

. .r'
,'

'

...

L
I :

ROBERT L. DEITZ General Counsel .

"' ' .. . .
'

...
. .

)f'

s Ec RE Tl! c 0 iv1I./\/Tf J.iWJf'O f?.j\f 11 i\1 u

1846 & 1862 PRODUCTION 5 MARCH 2009 -123-

,JP SEC.RETJICOrAfNI'J/NOFORf\J"r.. ~-fR


-3-:- .. .

. DISTRIBUTION:

.. ,

SIGINT D:irector ' SID Program Manager for CT Special Projects


Cbief, 82 Chief, S2I . Chief, 8215 Chief, 83. Chief, 833 OGC SID O&C

.:

. ' .
:
'

:
~

.....
.. .

. . .:

...

.: .

. . :

',

..

: .

,:

.
:'

. ... "
,

..

.
.

..
'

". .

. ...
.. .

. . .
'

.
.

,.

. .

'.

!,

: ...

'

.
.:
"'

. . , .. . . . .
I'

. : ...
~

"
:

. :'-. .. . .... .:

.
.

'

.. . .

... .

TOP Sf,C R.ETYJCOt\-1 l NT! IN OFO RNI I/Vi R.

1846 & 1862 PRODUCTION 5 MARCH 2009 -124-

1846 & 1862 PRODUCTION 5 MARCH 2009 -125-

TOP SECRET//COMilIT//NOFORN//20301129

FM: SID Oversight&. Compliance Date: 11 July 2006 Subject: Final Responses to the OIG Records Or~er (U)
=

Reques~

for Information

Business

SID Oversight and Compliance

1.

(TS/ /SI/ /NF) Written plans for periodically reviewing tMs program.
(TS//SI//NF) SID Oversight and Compliance will:

ln coordination with Program Office, conduct weekly reviews of list of analysts authorized to access Business Records data and ensure that only approved analysts have access. Oversight & Compliance will inform NSA's Office of General Counsel (OGC)of the results of the reviews and provide copies if needed to OGC.
Perform periodic super audits of queries. Work with the Program Office to ensure that the data remains appropriately labeled, stored and segregated according to the t~rms of the court order.

2.

(TS/ /SI/ /NF) Written procedures in addition to USSID SP0018 to


ensure compliance with standard NSA minimization procedures for the dissemination of U.S. person information.

(TS//SI//NF) SID Oversight and Compliance has a documented SOP which outlines the process to .ensure compliance with standard NSA minimization procedures: During normal duty hours, every report from this order containing U.S. or 2nd Party identities is reviewed by SID Oversight and Compliance priOr to dissemination. SID Oversight & Compliance (SV) reviews the products (Tippers) and creates a "one-time dissemination" authorization memorandum for signature of the Chief or Deputy Chief of Information Sharing Services. The NSOC 500 approves dissemination authorizations after hours. S2I/Counterterrorism Production Center provides SV with a copy of any report that is approved by NSOC/SOO for dissemination. Oversight and CompHance then issues a memorandum for the record stipulating that the U.S. or 2nd Party identities contained in that report were authorized for dissemination by the NSOC/SOO.
Derived From: NSNCSSM 1-52 Dated: 20041123 Declassify On: 20301129 TOP SECRET//COMINT//NOFORN//20301129.

1846 & 1862 PRODUCTION 5 MARCH 2009 -126-

1846 & 1862 PRODUCTION 5 MARCH 2009 -127-

1846 & 1862 PRODUCTION 5 MARCH 2009 -128-

1846 & 1862 PRODUCTION 5 MARCH 2009 -129-

1846 & 1862 PRODUCTION 5 MARCH 2009 -130-

. ~:~:-. :..

.. .
'

,,;...

'',

/:; ~:.~.'~
. .
~.
~
'\,

1846 & 1862 PRODUCTION 5 MARr.H ?nnA

-1~1~

. . .<=:r:~H'.f.~~

; . :~.! .

;:;

1846 & 1862 PRODUCTION 5 MARCH 2009 -132-

~~ ~ ;_ ::
. , ..... .l

~ :: :,J.

- ,..; ..

,.! \

1846 & 1862 PRODUCTION 5 MARCH 2009 -133-

:.

..

'~.:.

: :

.. . :,
'

'

cc

j~~~

....

1846 & 1862 PRODUCTION 5 MARCH 2009 -134-

::.

"i.'

'

.,: ;:.

,;

1846 & 1862 PRODUCTION 5 MARCH 2009 -135-

1846 & 1862 PRODUCTION 5 MARCH 2009 -136-

1846 & 1862 PRODUCTION 5 MARCH 2009 -137-

1846 & 1862 PRODUCTION 5 MARCH 2009 -138-

1846 & 1862 PRODUCTION 5 MARCH 2009 -139-

TOP SECRET//COMINT//NOFORN//MR
UNITED STATES

.~& FJJREiOv ~ 11:!_/ tLLfr;El\iri:: .,,UHVtlLLANc~'c''.o'-u,.,r '" '' K

FOREIGN INTELLIGENCE SURVEILLANC:p'. COURT' WASHINGTON, DC

ZfJJ9 Frn 26
.

Pr1 3: 23

CLER!\ OF COURT

IN RE PRODUCTION OF TANGIBLE TIIINGS


Docket Number: BR 08-13

NOTICE OF COM.PLIANCE INCIDENTS (U)

The United States of America, pursuant to Rule lO(c) of the Foreign Intelligence . Surveillance Court Rules of Procedure, advises the Court of the circumstances
,.

surrounding two compliance matters in docket number BR 08-13 and prior dockets in this matter. In support of this notice, the Government submits the attached Supplemental Declaration of Lt. General Keith B. Alexander, U.S. Army, Director of the National Security Agency (NSA) ("Supplemental Alexander Declaration"). ('TS) In response to the Court's Order of January 28, 2009, the Director of NSA ordered end-to-end system engineering and process reviews (technical and operational) of
NSA's handling of the call detail records collected pursuant to the Court's

authorizations in this matter ("BR metadata"). See Declaration of Lt. General Keith B.

TOP SECRET//COMINT//NOFORN//MR

.&

86

PRODUCTION 5 MARCH 2009 -140-

TOP SECRET//COMINT//NOFORN//MR Alexander, "U.S. Army, Director, National Security Agency, filed February 17, 2009, at 21
1 (

'Alexander Declaration"). The Director also ordered an audit of all queries made of the

BR metadata repository since November 1, 2008, to determine if any of the queries during that perio~ were made using telephone identifiers for which NSA had not determined that a reasonable, articulable suspicion exists that they are associated "With

ns, as required by the Court's Primary Orders. 1 Id. at 2223. These reviews identified the following two matters where NSA did not haridle the BR metadata in the manner authorized by the Court.2 (TS//SI//NF) Queries Using~I_ _ _ _ _ On February 19~ 2009, NSA notified the National Security Division (NSD) and the Office of the Director of National Intelligence that one

of its analytical tools (known as

may have been used to query the BR

inetadata and that such queries may have used non-RAS-approved telephone identifiers. Supp. Alexander Deel. at 5. According to the Supplemental Alexander Declaration determined if a record of a telephone identifier was present in

NSA databases and, if so, provided analysts with certain information regarding the calling 'activity associated with that identifier. Id. at 3, 5-6. It did not provide analysts with the telephone identifiers that were in contact "With the telephone identifier that

r In this notice, the Government will refer to this standard as the "RAS standard" and telephone identifiers that satisfy the standard as -,,RA.:S-approved." (S) 2

NSD orally notified Court advisors of these two matters on February 20, 2009. (S)

TOP SECRET//C';OMINT//NOFORN//MR 2

1846 & 1862 PRODUCTION 5 MARCH 2009 -141'-

TOP SECRET//COMINT//NOFORN//MR served as a basis for the query. Id. at 3, 6. Although


~----

could operate as a

stand-alone tool, it more often operated automatically in support of other analytic tools, namely which is described more fully :in the Supplemental

Alexander Declaration. Id. at 3, 5-7. Since the Court's initial Order in May 2006, would search the BR metadata and other NSA databases. Id. at 2-3, 5-6. (TS//SI//NF) According to the Supplemental Alexander Declaration, on February 18, 2009, NSA disabled portions of two analytic tools, including often invoked confirmed that that most

query mechanism. Id. at 7. On February 19, 2009, NSA was querying the BR metadata without requiring RAS-

approval of the telephone identifiers usedas query terms. Id. atS. NSA then began to eliminate access to the BR metadata. Id. at 3. On February 20, 2009, NSA

restricted access to the BR metadata to permit only manual queries based on RASapproved telephone identifiers and to prevent any automated processes from accessing the BR metadata. Id. at 7, 9. NSA also blocked access to the historical files that were generated from automated queries. Id. at 7. Before re-instituting

automated processes that would access the BR metadata, NSA and NSD will determine that any proposed automated process will access'the BR metadata in a manner that complies vvith the Court's Orders. Id. at 9-10. (TS//SI//NF)

TOP SECRET//COMINT//NOFORN//MR 3
184fi It 1Rfi? PRnn11r.Tll"HJ !=\
~AARr.1-1

?nna -"ILi.?-

TOP SECRET//COMINT//NOFORN//MR Improper Analyst Queries Since November 1, 2008. On February 20, 2009, NSA notified NSD that NSA's audit of queries since November 1, 2008 had identified three analysts who conducted chaining in the BRmetadata using fourteen telephone identifiers that had not been RAS-approved before the queries. According to the Supplemental Alexander Declaration:
11

One analyst conducted contact chaining queries on four non-RASapp1;oved telephone identifiers on November 5, 2008;

A second analyst conducted one contact chaining query on one non-RASapproved telephone identifier on November 18, 2008; and

A third analyst conducted contact chaining queries on three non- RASapproved telephone identifiers on December 31, 2Q08; one non-RAS approved identifier on January 5, 2009; three non-RAS approved identifiers on January 15, 2009; and two non-RAS approved identifiers on January 22, 2009.

Id. at 8. None of the telephone identifiers used as seeds was associated with a U.S. person or telephone identifier, and none of the improper queries resulted in intelligence reporting. Id. at 8-9. According to the Supplemental Alexander Declaration, at the time of the improper queries, the three a,nalysts were conducting queries of telephone metadata other than the BR metadata, and each appears to have been ~aware that they were conducting queries of the BR metadata: ICC-at 9. (TS//SI//NF) TOP SECRET//COMINT//NOFORN//MR 4

1846 & 1862 PRODUCTION 5 MARCH 2009 -143- .

TOP SECRET//COMINT//NOFORN//MR As stated in the Alexander Declaration, NSA began designing a software fix to prevent the querying of the BR metadata with telephone identifiers that had not been RAS-approved. Alexander Deel. at 23-24. On February 20, 2009, NSA installed that software fix; as a result, no non-RAS-approved telephone identifier may be used to query the BR metadata. Supp. Alexander Deel. at 9. (TS//SI//NF)

-- Remainder of page intentionally left blank -

,I.

TOP SECRET//CO.MINT//NOFORN//MR 5

1846 & 1862 PRODUCTION 5 MARCH 2009 -144-

TOP SECRET//COMINT//NOFORN//MR

The Government aclmowledges that in the above matters it did not handle the BR metadata in the manner authorized by the Court. These matters were identified as a result of the several oversight and investigative obligations that the Government voluntarily undertook as a result of the Court's Order of January 28, 2009. The Government also has implemented certain additional restrictions on the access to the BR metadata that are designed to prevent the recurrence of improper access to the BR metadata. Accordingly, the Government respectfully submits that the Court need not take any further remedial action. (TS//SI//NF)

Respectfully submitted,

Acting Section Chief, Oversight

Office of Intelligence National Secwity Division United States D~partment of Justice

TOP SECRET//COMINT//NOFORN//MR
6

1846 & 1862 PRODUCTION 5 MARCH 2009 -145-

I I

1846 & 1862 PRODUCTION 5 MARCH 2009 -146-

TOP SECRET//COMINT//NOFORN//MR
. UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASIDNGTON, D.C.

) )

)
) )

Docket No.: BR 08-13

SUPPLEMENTAL DECLARATION OF LIEUTENANT GENERAL KEITH B. ALEXANDER, UNITED STATES ARMY, DIRECTOR OF THE NATIONAL SECURITY AGENCY

(U) I, LieutenaJ?.t General Keith B. Alexander, depose and state as follows:


(U) I am the Director of the National Seci:rity Agency (''NSA" or "Agency"), an

intelligence agency Within the Department of Defense ("DoD"), and have served in this position since 2005. I currently hold the rank of Lieutenant General in the United States
Army and, concurrent with my current assignment as Director of the National Security

Agency, I also serve as the Chief of the Central Security Service and as the Commander of the Joint Functional Component Command for Network Warfare.
(U) The statements herein are based upon my personal knowledge, information

provided to me by my subordinates in the course of my official duties, advice of counsel, and conclusions reached in accordance therewith.

Derived From: NSA/CSSM 1-52 -.:.; Dated: 20070108 . Declassify on: MR


TOP SECRET//COMINT//NOFORN//M:R

1846 & 1862 PRODUCTION 5 MARCH 2009

~147-

. - - - - - - - - - - - -~ - - -.. ----:- -- - - - " - - - - - - - - - - - - - - - - - -

TOP SECRET//COMINT//NOFORN//MR

I. (U) Purpose:
(TS//SI//NF) Pursuant to a series of Orders issued by the Court since May 2006, NSA has been receiving telephony metadata from telecommunications providers. NSA refers to t~e Orders collectively as the "Business Records Order" or "BR FISA." Among other things, the Business Records Order requires NSA to determine that there is a reasonable artfoulable suspicion ("RAS") to believe that a telephone identifier that NSA wishes to use as a "seed'' for accessing the BR FISA data is associated -

This supplemental deClaration describes two compliance matters that NS)\


has discovered wJ.ille implementing the corrective actions the Government described to the Court in the brief and declaration filed with the Court on 17 Febmary 2009 regarding a compliance matter that the Deparhnent of Justice ("DoJ") first brought to the Court's attention on 15 January 2009. See, respectively, Memorandum of the United States in Response to Courf s Order Dated January 28, 2009, ("DoJ Memo") and Declaration of Keith B. Alexander ("Alexander Declaration''), Docket BR 08-13.

II. (U) Incidents:


A. (U) Summary

(TS//SI//NF) During an end-to-end review ofNSA's technical infrastructure that I ordered in response to the compliance incident that DoJ reported to the Court on 15 January 2009, NSA personnel determined on 18 February 2009 that an NSA analytical tool known as was querying bothE.O. 12333 and the Business Records

TOP SECRET//COMJNT//NOFORN//MR
-2-

1846 & 1862 PRODUCTION 5 MARCH 2009 -148-

TOP SECRET//COMINT//NOFORN/!MR data and that such queries would not have been limited to RAS approved telephone identifiers. As explained further below, was automatically invoked to

support certain types. of analytical research. Specifically, to help analysts identify a phone number of interest. If an analyst conducted research supported by the

analystwould receive a generic notification that NSA's signals intelligen.ce ("SIGINT") databases contained one or more references to the telephone identifier in which the analyst was interested; a count of how many times the identifier was present in SIGINT databases; the dates of the first and last call events associated with the identifier; a count of how many other unique telephone identifiers had direct contact with the identifier that was the subject of the analyst's research; the total number of calls made to or from the telephone identifier that was the subject of the. analyst's research; the ratio of the count of total calls to the count of unique contacts; and the amount of time it took to process the analyst's query. did not return to the analyst the actual telephone identi:fier(s)

that were in contact with the telephone identifier that was the subject of the analyst's research and the analyst did not receive a listing of the individual NSA databases that were queried by
~---

(TS//SI//NF) After identifying that

was allowing non-RAS approved

telephone identifiers to be used to conduct queries of the BR FIS.A. metadata to generate the statistical information that
~---

returned to individual analysts, NSA personnel

immediately began to eliminate ~--__ ability to access the BR FISA data. As of 20 February 2009, no automated analytic process or analytical tool can access the telephony metadata NSA receives pursuant to the Business Records Order. Moreover, the system's change of20 Feburary 2009 also prevents manual queries oft.he BRFISA TOP SECRET//COMINT//NOFORN//MR
-3-

1846 & 1862 PRODUCTION 5 MARCH 2009 -149-

I
. TOP SECRET//CO:MWT//NOFORN//MR metadata unless NSA has detennined that the telephone identifier that is being used to query the data has satisfied the RAS standard.

C:fS//SV!NF) In addition to the problem NSA identified regarding


-----

during a 100% audit of individual analyst queries of the BR FISA metadata1 NSA personnel discovered that three analysts inadvertently accessed the Business Records data using fourteen different non-RAS approved selectors between 1November2008 and 23 January 2009. None of the improper queries resulted in any intelligence reporting and none of the identifiers were associated with a U.S. telephone identifier or U.S. person. The techn).cal change NSA implemented on 20 February 2009 to correct the problem of automated BR FISA queries also included another software change that prevents manUal queries against non-RAS approved identifiers. Thus, the 20 February 2009 system upgrades should prevent recurrences of the improper analyst queries that are also . discussed in detail below.

B. (U) Details (S) focident 1:


(TS//SI//NF) As part of the response to the compliance problem described to the Court in my 17 February 2009 declaration, I ordered.an examination "to ensure that NSA's technical infrastructure has not allowed, and will not allow, non-approved selectors to be used as seeds for contact chaining of the BR FISA

data." Alexander Declaration at 22. I also stated thatNSA would "report to DoJ and the

TOP SECRET//COivlINT//NOFORN//MR

-4-

1846 & 1862 PRODUCTION 5 MARCH 2009 -150-

TOP SECRET//COMINT//NOFORN//MR
Court if thls examination of the teclmical infrastructure reveals any incidents of improper querying of the BR FISA data repository.". Jd. ('fS//SI//NF) On 18 February 2009, NSA teclmical personnel notified NSA's Office of General Counsel that, as part of the review ofNSA's technical infrastructure that I ordered, they discovered that the use of may have resulted in queries of

NSA's BR PISA data and that such queries would.not have been limited to the use of RAS approved telephone identifiers. On 19 February 2009, NSA personnel confumed that this was, in fact, the case. NSA informally notified DoJ and the Office of the Director of National Intelligence of this problem later that same day. (S//SI) As I
~tated

above, NSA uses


~---

to support analytical research

regarding telephone identifiers that are ofintelligence interest to NSA's SIGINT personnel. determines if a telephone identifier is present in NSA data

repositories and also reports the level of calling activity associated with any particular telephone identifier. Although can be used as a stand-alone tool, it is used

more often as a background process in support of other NSA analytical tools.

TOP SECRET//COMlNT//NOFORN//lVIR
- 5-

1846 & 1862 PRODUCTION 5 MARCH 2009 -151-

TOP SECRET//COMThrT//NOFORN/IMR

The results of the queries (the number of unique col;l.tacts found for each expanded

telephone identifier; the total number of calls made to or frcim the telephone identifier that served as the basis for the query; the ratio of total calls to unique calls; the date of the first call event recorded; the date of the last call event; and the amount of time it took to process the query) would be displayed to the analyst

Although BR FISA data,


~---

10

longer can access the

greatly assists analysts to choose selectively the best does not return

identifiers for further target development. As I stated above,

the telephone identifier(s) that were in contact with the telephone identifier that was the subject of the analyst's research. (TS//SI//NF) NSA ~as determined that the Agency had co~guredL_ to include the BR FISA data repository as one of the sources of SIGJNT data that queried since the issuance Df the first Business Records Order in May 2006.

TOP SECRET//COMlNT//NOFORN//MR

-6-

1846 & 1862 PRODUCTION 5 MARCH 2009 -152-

TOP SECRET//COMINT//NOFORN//MR This configuration remained in place until NSA identified this problem on 18 February 2009. As noted previously, databases did not tell individual analysts which SIGINT

was querying nor did the tool provide analysts with the actual

telephone numbers that had been in direct contact with the identifiers that served as the basis for queries. In other words, if an analyst wanted to construct a chamL

l__ of the contacts associated with an identifier that had been the subject of a
query, the analyst was required to query the appropriate data repositories directly. For BR FISA data, this meant that only an. analyst approved for access to BR PISA material could conduct such a query. (TS//SI//NF) Upon identification of this problem, NSA took immediate corrective actions. First; on the evening of 18 February 2009, NSA's Signals Intelligence Directorate disabled portions of two analytical tools used most often to invoke automatic query mechanism. Second, on the morning of 19 February 2009, NSA shut down itself Third, after conducting further examination of the

probl em, on the morning of 20 February 2009, t.he Signals Intelligence Directorate installed a technical safeguard called Emphatic Access Restriction, which is the equivalent of a firewall that prevents any automated process or subroutine from accessing the BR FISA data. 2 Fourth, on the evening of Friday, 20 February 2009, NSA blocked access to the historical files that were generated from automated :iueries.

(TS//SV/NF) This technical safeguard had been under development since mid-January 2009, following the initial discovery of compliance issues associated with the Business Records Order. The safeguard also prevents analysts from performing manual chaining on numbers that have not been marked as RAS approved.

TOP SECRET//COJVITNT//NOFORN//MR

-7-

1846 & 1862 PRODUCTION 5 MARCH 2009 -153-

TOP SECRET//COMINT/!.NOFORN//MR
(S) Incident 2: Improper Analyst Queries

(TS//SI//NF) Among the other corrective actions described to the Court in the Government's filing on 17 February 2009, NSA also initiated an audit of all queries made of the BR FISA data between 1November2008 and 23 January 2009. See Alexander Declaration at 22-23. As part of this audit, NSA has identified additional instances of improper analyst queries of the BRFISA data. None of the improper queries resulted in any intelligence reporting and none of the identifiers were associated with a U.S. telephone number or person. (TS//SI/!.NF) Prior to 15 January 2009, audits ofBRFISA queries were.
implement~d

as spot checks of analyst queries or would be limited to a single day's worth

of queries. After one of these spot checks identified improper queries conducted by two analysts, the Agency decided to conduct a more comprehensive audit of all analysts queries of the BR FISA metadata conducted between 1 November2008 to 23 January 2009. See Alexander Declaration at 22-23. When NSA oversight.personnel completed the first round of this comprehensive audit, they discovered that three analysts were responsible for fourteen instances of improper querying of the BR PISA data. The fourteen seed identifiers did not meet RAS approval prior to the analysts' queries. The first analyst conducted one query on one non-RAS approved seed identifier on 18 November 2008. The second analyst chained on four different non-RAS approved seeds on 5 November 2008. The third analyst chained on three different non-RAS approved seeds on 31 December 2008; one non-RAS approved identifier on 5 January 2009; three different non-RAS approved identifiers on 15 January 2009; and two different non-RAS approved identifiers on.22 January 2009. None of the improper TOP SECRET//COMINT//NOFORN//MR
-8-

1846 & 1862 PRODUCTION 5 MARCH 2009 -154-

TOP SECRET//COMINT//NOFORN//MR queries resulted in any intelligence reporting and none of the identifiers were associated with a U.S. telephone identifier or U.S. person. (TS//SI//NF) Each of the analysts responsible for these improper queries did not realize they were conducting queries in the BR FISA data.. This conclusion is based on an audit of other queries they were conducting at the same time as well as questioning of the analysts by NSA's. Oversight and Compliance Office. Each analyst thought they were conducting queries of other repositories of telephony metadata that are not subject to the requirements of the Business Records Order. 3 On 20 February 2009, software changes were made to ensure analysts could only access the BR data using this new version of the chaining tool. (TS//SI//NF) As the Government reported in its filing of 17 February 2009, NSA decided tq design new software to prevent the querying of any telephone identifier within the BR PISA data unless the identifier has been RAS-approved. See Alexander Declaration at 23-24. On 20 February 2009, the software change NSA made to prevent automated tools from access the BR PISA metadata also prevents any non-RAS approved
. .

selector from being used as a seed for manual querying of the BRFISA data. III. (U) Con"clusion: (TS//SI//NF) NSA's implementation of Emphatic Access Restriction should prevent recurrences of both types of compliance incidents that are the subject of this supplemental declaration to the Court. NSA's BR FISA data repository is currently only able to accept manual queries based on a RAS-approved telephone identifier. Prior to
3

(TS//SI//NF) At the time of the improper queries, each of these analysts were using dual screen computer equjpment that provided the analysts with simultaneous access to BR FISA data and metadata that is not subject to the Business _Records Order. --

TOP SECRET//COMINT//NOFORN//MR
-9-

1846 & 1862 PRODUCTION 5 MARCH 2009 -155-

TOP SECRET//COMINT//NOFORN//MR reinstituting any automated process that would provide any sort of access to, or comparison against, the BR PISA data, NSA' s Office of General Counsel and the Department of Justice will review and approve the process. (TS//SI//NF) Notwithstanding implementation of Emphatic Access Restriction, NSA continues to examine its technical infrastructure to ensure that queries of BR FISA metadata are restricted to the use of RAS approved telephone identifiers. I expect that any further problems NSA persmmel may identify with the infrastructure will be historical in nature. However, as indicated mmy previous declaration to the Court, NSA will report any further problems Agency personnel may identify (whether current or historical) to both DoJ and the Court.

TOP SECRET//COMINT//NOFORN//MR - 10 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -156-

TOP SECRET//COMINT//NOFORN//MR

(U) I declare under penalty of perjury that the facts set forth above are true and
correct.

~~
Executed this
-<..
'? -

Lieutenant General, U.S. Army Director, National Security Agency

er

T#-

day of "d'.4--0 ~

e:P7 /"

'2009

TOP SECRET//COMINT//NOFORN//MR - 11 -

1846 & 1862 PRODUCTION 5 MARCH 2009 -157-

TOP SECRET//COMINT//NOFORN//MR
UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, D.C.

Docket Number: BR 08-13

ORDER

On December 12, 2008, the Foreign Intelligence Surveillance Court ("FISC" or "Court")

..
re-authorized the government to acquire the tangible things sought by the government in its application in the above-captioned docket ("BR 08-13"). Specifically, the Court ordered o produce, on an ongoing daily basis for the duration of the order, an electronic copy of all call detail records or "telephony metadata" created by BR.08-13, Primary Order at 4. The Court found reasonable grounds to believe that the tangible things sought are relevant to authorized investigations being conducted by the Federal Bureau of Investigation ("FBI") to protect against international terrorism, which investigations are not being conducted solely upon the basis of First Amendment protected activities, as required by 50 U.S.C. 1861(b)(2)(A) and (c)(l). Id. at 3. In making this finding, the Court relied on the

TOP SECRET//COIVIlNT/lNOFORN//MR ---~

1846 & 1862 PRODUCTION 5 MARCH 2009 -158-

TOP SE9RET/fCOMINT/fNOFORN//MR assertion of the National Security Agency ("NSA") that having access to the call detail records "is vital to NS~'s counterterrorism intelligence mission" because "[t]he only effective means by which NSA analysts are able continuously to keep track o d all affiliates of one of the aforementioned entities [who are tald.ng steps to disguise and obscure their communications and identities], is to obtain and maintain an archive of metadata that will permit these tactics to be uncovered." BR 08-13, Application Exhibit A, Declaration of

Signals Intelligence Directorate Deputy Program Manager~-------- NSA, filed Dec. 11, 2008

C"L Declaration") at 5. NSA

- - - - - - - - - - - -

also averred that [t]o be able to exploit metadata fully, the data must be collected in bulk .... The ability to accumulate a metadata archive and set it aside for carefully controlled searches and analysis will substantial! increase NSA's abili to detect and identi members a

Id. at 5-6.

Because the collection would result in NSA collecting call detail records pertaining to of telephone communications, including call detail records pertaining to communications of United States ("U.S.") persons located within the U.S. who are not the subject of any FBI investigation and whose metadata could not otherwise be legally captured in bulk, the government proposed stringent minimization procedures that strictly controlled the

TOP SECRET//COMINTJ~OFORN//MR 2

1846 & 1862 PRODUCTION 5 MARCH 2009 -159-

TOP SECRET//COMINT//NOFORN//MR
acquisition, accessing, dissemination, and retention of these records by the NSA and the FBI. 1 BR 08-13, Application at 12, 19-28. The Court's Primary Order directed the government to strictly adhere to these procedures, as required by 50 U.S.C. 186l(c)(l). Id. at 4-12. Among other things, the Court order~d that: access to the archived data shall occur only when NSA has identified a known telephone identifier for which, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable, articulable suspicion that the telephone identifier is associated with

so e yon e by the First Amendment to the Constitution. Id. at 8 (emphasis added). In response ,to a Preliminary Notice of Compliance Incident dated January 15, 2009, this Court ordered further briefing on the non-compliance incident to help the Court assess whether its Orders should be modified or rescinded; whether other remedial steps should be directed; and whether the Court should take action regarding persons responsible for any misrepresentations to the Court or violations of its Orders. Order Regarding Preliminary Notice of Compliance Incident Dated January 15, 2009, issued Jan. 28, 2009, at 2. The government timely filed its Memorandum in Response to the Court's Order on February 17, 2009. Memorandum of the United States In Response to the Court's Order Dated January 28, 2009 ("Feb. 17, 2009

~--

The Court notes that the procedures set forth in the government's application and the Declaration are described in the government's application as ''minimization proced'ures." BR 08-13, Application at 20.

TOP SECRET//COMINXifNOFORN//MR 3

1846 & 1862 PRODUCTION 5 MARCH 2009 -160-

TOP SJECRET//COMINT//NOFORN//MR
Memorandum"). A. NSA's Unauthorized Use of the Alert List The government reported in the Feb. 17, 2009 Memorandum that, prior to the Court's initial authorization on May 24, 2006 (BR 06-05), the NSA had developed an "alert list process" to assist the NSA in prioritizing its review of the telephony rnetadata it received. Feb. 17, 2009 Memorandtim at 8. Following the Coures initial authorization, the NSA revised this alert list process so that it compared the telephone identifiers on the alert list against incoming FISCau:thorized Business Record metadata (''BR metadata") and SIGINT collection from other sources, .and notified NSA's counterterrorism organization ifthere was a match between an identifier on the alert list and an identifier in the incoming data. Feb. 17, 2009 Memorandum at 9-10. The revised NSA process limited any further analysis of such identifiers using the BR metadata to

.
those telephone identifiers determined to have met the "reasonable articulable suspicion" standard (hereafter "RAS-approved identifiers") set forth above. Id. at 10-11 .. However, because the alert list included all identifiers (foreign and domestic) that were of interest to counterterrorism analysts who were charged with trackin most of the telephone identifiers compared against the incoming BR metadata were not RAS-approved. 2 Feb. 17, 2009 Memorandum at 10-11. Thus, since the earliest days of the FISC-authorized collection of call-detail records by the NSA, the

As an example, the government reports that as of January 15, 2009, only 1,935 of the 17,835 identifiers on the alert list were RAS-approved. Feb.17, 2009 Memorandum at 11.

TOP SECRET//COMINT//NOFORN//MR - -- . 4

1846 & 1862 PRODUCTION 5 MARCH 2009 -161-

TOP SECRET//COMJINT//NOFORN//MR NSA has on a daily basis, accessed the BR metadata for purposes of comparing thousands of nonRAS approved telephone identifiers on its alert list against the BR metadata in order to identify . . any matches. Such access was prohibited by the governing minimization procedures under each of the relevant Court orders, as the government concedes in its submi~sion. Memorandum at 16. The government's submission suggests that its non-compliance with the Court's orders resulted from a belief by some personnel within the NSA that some of the Court's restrictions on access to the BR metadata applied only to "archived data;'' i.e., data residing within certain databases at the NSA. Feb. 17, 2009 Memorandum, Tab 1, Declaratiqn of Lieutenant General Keith B. Alexander, United States Army, Director of the NSA ("Feb. 17, 2009 Alexander Declaration") at 10-11. That interpretation of the CoUrt' s Orders strains credulity. It is difficult to imagine why the Court would intend the applicability of the RAS requirement - a critical component of the procedures proposed by the government and adopted by the Court - to turn on whether or not the data being accessed has been ''archived" by the NSA in a particular database at the time of the access. Indeed, to the extent that the NSA makes the decision about where to store incoming BR metadata and when the archiving occms, such an illogical interpretation of the Court's Orders renders compliance with the RAS requirement merely optional. The NSA also suggests that the NSA OGC's approval of procedures allowing the use of non-RAS-approved identifiers on the alert list to query BR metadata not yet in the NSA's "archive" was not surprising. since the procedures were similar to those used in connection with
F~b.

17, 2009

TOP SECRET//COMJ.NT/JNOFORN//MR 5

1846 & 1862 PRODUCTION 5 MARCH 2009 -162-

TOP SECRET//COMINT//NOFORN//MR other NSA SIGINT collection activities. Feb 17, 2009 Alexander Declaration at 11, n.6. If this is the case, then the root of the non-compliance is not a terminological misunderstanding, but the NSA's decision to treat the accessing of all call detail records produced no differently than other collections under separate NSA authorities. to which the Court-approved minimization procedures do not apply. B. Misrepresentations to the Court The government has compounded its non-compliance with the Court's orders by repeatedly submitting inaccurate descriptions of the alert list process to the FISC. Due to the volume of U.S. person data being collected pursuant to the Court's orders, the FIS C's orders have all required that any renewal application include a report on the implementation of the Court's prior orders, including a description of the manner in which the NSA applied the minimization procedures set forth therein. See, e.g., BR 08-13, Primary Order at 12. In its report to the FISC accompanying its first renewal application that was filed on August 18, 2006, the governme~1t described the alert list process as follows: NSA has compiled through its continuous counter-terrorism analysis, a list of telephone numbers that constitutes an "alert list" of telephone numbers used by This alert members of list serves as a body of telep one num ers emp oye to query

is evaluated to determine whether the information a out it provi e to sa isfies the reasonable articulable suspicion standard. If so, the foreign telephone number is placed on the alert list; if not, it is not placed on the alert list. The process set out above applies also to newly discovered domestic TOP SECRET//COMINTll__NOFORN//MR 6

1846 & 1862 PRODUCTION 5 MARCH 2009 -163-

TOP SECRET//COMINT//NOFORN//MR
telephone numbers considered for addition to the alert list, with the additional requirement that NSA's Office of General Counsel reviews these numbers and affirms that the telephone number is not the focus of the analysis based solely on activities that are protected by the First Amendment. ....

As of the last day of the reporting period addressed herein, NSA had included a total of 3980 telephone numbers on the alert list, which includes foreign numbers and domestic numbers, after concluding that each of the foreign telephone numbers satisfied the [RAS standard]. and each of the domestic telephone numbers was ether a FISC approved number or in direct contact vvith a foreign seed that met those criteria. [3]

To summarize the alert system: every day new contacts are automatically revealed with the 3980 telephone numbers contained on the alert list described above, which themselves are present on the alert list either because they satisfied the reasonable articulable suspicion standard, or because they are domestic numbers that were either a FISC approved number or in direct contact with a . number that did so. These automated queries identify any new telephone contacts between the numbers on the a,lert list and any other number, except that domestic .numbers do not alert on domestic-to-domestic contacts. NSA Report to the Foreign Intelligence Surveiliance Court, Docket no. BR 06-05, filed Aug. 18, 2006 at 12-15 (emphasis added). This description was included in similar form in all subsequent reports to the Court, including the report submitted to this Court on December 11, 2008. Feb.17, 2009 Memorandum at 13. The NSA attributes these material misrepresentations to the failure of those familiar with

Tbe rep01t further explained that identifiers 'Within the second category of domestic numbers were not used as "seeds." NSA Report to the Foreign Intelligence Surveillance Court, Docket no. BR 06-05, filed Aug. 18, 2006 at 14. Moreover, rather than conducting daily queries of the RAS-approved foreign telephone identifier that originally contacted the domestic number, the domestic numbers were included in the alert list as "merely a quicker and more efficient way of achieving the same result.. .. " Id. at 14 n.6. In November 2006, the NSA reported that it ceased this activity on August 18, 2006. Feb. 17, 2009 Alexander Declaration at 7 n. l.

TOP

SECRET//COMINT/~OFORN//MR

1846 & 1862 PRODUCTION 5 MARCH 2009 -164-

TOP SECRET//COMINT//NOFORN//MR
the program to correct inaccuracies in a draft of the report prepared in August 2006 by a managing attm.~ey in the NSA's Office of General Counsel, despite his request that recipients of the draft "'make sure everything I have siad (sic) is absolutely true.''4 Feb. 17, 2009.Alexander Declaration at 16-17; see also id. at Exhibit D. Further, the NSA reports: it appears there was never a complete understanding among the key personnel who reviewed the report for the SIOINT Directorate and the Office of General Counsel regarding what each individual meant by the terminology used in the report. Once this initial misunderstanding occurred, the alert list description was never corrected since neither the SIGINT Directorate nor the Office of General Counsel realized there was a misunderstanding. As a result, NSA never revisited the description of the alert list that was included in the original report to the Court. Feb. 17, 2009 Alexander Declaration at 18. Finally, the NSA reports that "from a technical standpoint, there was no single person who had a complete technical understanding of the BR

FISA system architecture. This probably also contributed.to the inaccurate description of the
'

alert list that NSA included in its BR PISA reports to the Court." Id. at 19. Regardless of what factors contributed to making these misrepresentations, the Court finds that the government's failure to ensure that responsible officials adequately understood the , NSA's alert list process, and to accurately report its implementation to the Court, has prevented,

The Court notes that at a hearing held on August 18, 2006, concerning the government's first renewal application (BR 06-08), the NSA's affiant testified as follows: THE COURT: All right. Now additionally, you have cause to be - well at least I received it yesterday - the first report following the May 24 order, which is a 90-day report, and some 18 pages and I'.ve reviewed that and you affirm that that's the best report or true and accurate to the best of your knowledge and belief.
~---

Transcript of Proceedings before the Hon. Malcolm J. Howard, U.S. FISC Judge, Docket No. BR 06-08, Aug. 18, 2006, at 12.

~~~-~-

I&,~~

TOP SECRET//COMIN'.fjfNOFVRN/f.MR 8

1846 & 1862 PRODUCTION 5 MARCH 2009

-1n~-

TOP SECRET//COMINT//NOFORN//MR
for more than two years, both the government and the FISC from talcing steps to remedy \laily violations of th~ minimization procedures set forth in FISC orders and designed to protect call detail records pertaining to telephone communications of U.S. persons located 'Within the United States who are not the subject of any FBI investigation and whose call detail information could not otherwise have been legally captured in bulk. C. Other Non-Compliance Matters Unfortunately, the universe of compliance matters that have. arisen under the Court's Orders for this business records collection extends beyond the events described above. On October 17, 2008, the government reported to' the FISC that, after the FISC authorized the NSA to increase the number of analysts authorized to access the BR metadata to 85, the NS.A trained those newly authorized analysts on Court-ordered procedures. Sixty-Day Report for Filing in Docket Number BR 08-08, filed Oct. 17, 2008 at 7. Despite this training, however, the NSA subsequently determined that 31 NSA analysts had queried the BR metadata during a five day period in April 2008 "'Without being aware they were doing so." Id. (emphasis added). As a result, the NSA analysts used 2,3 73 foreign telephone identifiers to query the BR metadata without first determining that the reasonable articulable suspicion standard had been satisfied.

Uppn discovering this problem, the NSA undertook a number of remedial measures, including suspending the 31 analysts' access pending additional training, and modifying the NSA's tool for accessing the data so that analysts were required specifically to enable access to

TOP. SECRET//COM!N'f~0FORN/!MR .
9

1846 & 1862 PRODUCTION 5 MARCH 2009 -166-

TOP SECRET//COMINT//NOFORN//MR
the BR metadata and acknowledge such access. Id. at 8. Despite taldng these corrective steps, on December 1~, 2008, the government informed the FISC that one analyst had failed to install the modified access tool and, as a result, inadvertently queried the data using five identifiers for which NSA had not determined that the reasonable m1:iculable suspicion standard was satisfied. Preliminary Notice of Compliance Incident, Docket no. BR 08-08, filed Dec. 11, 2008 at 2; see also Notice of Compliance Incident Involving Docket Number BR 08-08, filed Jan. 22, 2009. Then, on January 26, 2009, the government informed the Court that, from approximately December 10, 2008, to January 23, 2009, two NSA analysts had used 280 foreign telephone identifiers to query the BR metadata without determining that the Court's reasonable articulable suspicion standard had been satisfied. Notice of Compliance .Incident, Docket No. BR 08-13, filed January 26, 2009 at 2. It appears that these queries were conducted despite full implementation of the above-referenced software modifications to the BR metadata access tool, as well as the NSA's additional training of its analysts. 5 And, as noted below with regard to the NSA's routine use of the tool from May 2006 until February 18, 2009, the NSA

continues to uncover examples of systemic noncompliance. In sw.nmary, since January 15, 2009, it has finally come to light that the FISC' s authorizations of this vast collection program have been premised on a flawed depiction of how

0n October 17, 2008, the government reported that all but four analysts who no longer required access to the BR metadata had completed the additional training and were provided
access to the data. Sixty-Day Rep.art for Filing in Docket Number BR 08-08, filed Oct. 17, 2008 at 8 n.6.

TOP SECRET//COMINTJJNOFORN//MR
. 10

1846 & 1862 PRODUCTION 5 MARCH 2009

-1fi7-

TOP SECRET//COMINT//NOFORN//MR
the NSA uses BR metadata. This misperception by the FISC existed from the inception of its authorized coll~ction in May 2006, buttressed by repeated inaccurate statements made in the government's submissions, and despite a government-devised and Court-mandated oversight regime. The minimization procedures proposed by the government in each successive application and approved and adopted as binding by the orders of the FISC have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively. D. Reassessment of BR Metadata Authorization In light of the foregoing, the Court returns to fundamental principles underlying its authorizations. In order to compel the production of tangible things to the government, the Court must find that there are reasonable grounds to believe that th~ tangible things sought are relevant

to an authorized investigation (other than a threat assessment) to obtain foreign intelligence


information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities; provided that such investigation of a U.S. person is not conducted solely on the basis of activities protected by the First Amendrrient. 50 U.S.C. 1861. The government's applications have all acknowledged that, of the records NSA receives per day (currently over individual records that are being sought pertain neither t of call detail

per day), the vast majority of

See,~.

BR 08-13, Application at 19-20. In other words,

TOP SECRET//COMIN'I:lf;NOFORN/fMR
11

1846 & 1862 PRODUCTION 5 MARCH 2009 -168-

TOP SECRET//COMINT//NOFORN//MR
nearly all of the call detail records collected pertain to communications of non-U.S . persons who .ire not the subj~ct of an FBI investigation to obtain foreign intelligence infonnation, are communications of U.S. persons who are not the subject of an FBI investigation to protect against internati~nal terrorism or clandestine intelligence activities, and are data that otherwise could not be legally captured tu bulk by the government. Ordinarily, this alone would provide sufficient grounds for a FISC judge to deny the application. Nevertheless, the FISC has authorized the bulk collection of call detail records in this case based upon: (1) the government's explanation, under oath, of how the collection of and access to such data are necessary to analytical methods that are vital to the national security of the United States; and (2) minimization procedures that carefully restrict access to the BR metadata and include specific oversight requirements. Given the Executive Brand~' s responsibility for and expertise in determining how best to protect our national security, and in light of the scale of this bulk collection progran1, the Court must rely heavily on the government to monitor this program to ensure that it continues to be justified, in the view of those responsible for our national security, and that it is being implemented in a manner that protects the privacy interests of U.S. persons as required by applicable minimization procedures. To approve such a program, the Court must have every confidence that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court's orders. The Court no longer has such confidence.

TOP SECRET//COMINT@'IOFORN//MR
12

1846 & 1862 PRODUCTION 5 MARCH 2009 -169-

TOP SECRET//COMINT//NOFORN//MR
With regard to the value of the BR metadata program,"the government points to the 275 reports that the NSA has provided to the FBI identifying 2,549 telephone identifiers associated with the targets. Feb. 17, 2009 Alexander Declaration at 42. The government's sl).bmission also cites three examples in which the FBI opened three new preliminary investigations of persons in the U.S. based on tips from the BR metadata program.. Id., FBI Feedback on Report, Exhibit J. However, the
~ere

commencement of a preliminary investigation, by itself, does not seem

particularly significant. Of course, if suc.h an investigation led to the identification of a previously unlmown terrorist operative in the United States, the Court appreciates that it would be of immense value to the government. In any event, this program has been ongoing for nearly three years. The time has come for the government to describe to the Court how, based on the information collected and analyzed during that time, the value of the program to the nation's security justifies the continued c?llection and retention of massive quantities of U.S. person information. Turning to the government's implementation of the Court-ordered minimization procedures and oversight regime, the Court takes note of the remedial measures being undertaken by the government as described in its recent filings. In particular, the Court welcomes the Director of the NSA' s decision to order "end-to-end system engineerii.ig and process reviews (technical and operational) ofNSA's handling" of BR metadata. Feb. 17, 2009 Alexander Declaration at 21. However, the Court is very disturbed to learn that this ongoing exercise has identified additional violations of the Court's orders, including the routine accessing of BR

TOP SECRET//COMINT#NOFORN//MR 13

1846 & 1862 PRODUCTION 5 MARCH 2009 -170-

TOP SECRET//COMINT/!NOFORN/!MR
metadata from May 2006 to February 18, 2009, through another NSA analytical tool known as 1;1-Sing telephone identifiers that had not been determined to meet the reasonable articulable suspicion standard. BR 08-13, Notice of Compliance Incident, filed Feb. 26, 2009 ("Feb. 26, 2009 Notice"). In its last submission, the government describes technical measures implemented on February 20, 2009, designed to prevent any recurrences of the particular forms of noncompliance uncovered to date ..This "technical safeguard" is intended to prevent "any automated process or subroutine," such as
~---

"from accessing the BR FISA data," and to prevent

"analysts from performing manual chaining[6] on numbers that have not been marked as RAS approved." See Supplemental Declaration of Lieutenant General Keith B. Alexander, United States Anny, Director ofNSA, filed Feb. 26, 2009 ("Feb. 26, 2009 Alexander Declari;i.tion") at 7
& n.2. On the strength of these measures, the government submits that ''the Court need not take

any further remedial action." Feb. 26, 2009 Notice at 6. After considering these measures in the

context of the historical record of non-compliance and in view of the Court's authority and responsibility to "determine [and] enforce compliance" with Court orders and Court-approved procedures, 50 U.S.C. l 803(i), the Court has concluded that further action is, in fact, necessary. The record before the Court strongly suggests that, from the inception of this PISA BR

6 In context, "chaining" appears to refer to the fom1 of querying the BR metadata known as "contact chaining." See Declaration at 6. I

TOP SECRET//COMINTLfNOFORN//MR 14

1846 & 1862 PRODUCTION 5 MARCH 2009 -171-

TOP SECRET//COMINT//NOFORN/11\fil
program, the NSA's data accessing technologies and practices were never adequately designed to comply with the governing minimization procedures. From inception, the NSA employed two separate automated processes - the daily alert list and the tool - that routinely

involved queries based on telephone identifiers that were not RAS-approved. See sunra pp. 4-6, 13-14. As for manual queries, the minimization procedures required analysts to use RASapproved identifiers whenever they accessed BR metadata, yet thousands of violations resulted from the use of identifiers that had not been RAS-approved by analysts who were not even aware that they were accessing BR metadata. See supra pp: 9-10. Moreover, it appears that the NSA - or at least those persons within the NSA with knowledge of the governing minimization procedures - are still in the process of determining how the NSA's own systems and personnel interact with the BR metadata. Under these circumstances, no one inside or outside of the NSA -can represent with adequate certainty whether the NSA is complying with those procedures. In fact, the govermnent acknowledges that, as of August 2006, "there was no single person who had a complete understanding of the BR FISA system architecture." Feb. 17, 2009 Alexander Declaration at 19. This situation evidently had not been remedied as of Febrnary 18, 2009, when "NSA personnel determined," only as a result of the "end-to-end review of NSA' s technical infrastructure' ordered by the Director of the NSA on January 15, 2009, that the tool accessed the BR metadata on

the basis of telephone identifiers that had not been RAS-approved. Feb. 26, 2009 Alexander Declaration at 2-3.

TOP SECRET//COMINTli;NOFORN//MR 15

1846 & 1862 PRODUCTION 5 MARCH 2009 -172-

TOP SECRET//COMINT//NOFORN//MR
This end-to-end review has not been completed. Id. at 10. Nonetheless, the government submits that thti technical safeguards implemented on February 20, 2009 "should prevent recurrences" of the identified forms of non-compliance, id. at 9 (emphasis added), and "'exoect[s] that any further problems NSA personnel may identify with the infrastructure will be historical," rather than current, id. at 10 (emphasis added). However, until this end-toend review has been completed, the Court sees little reason to believe that the most recent discovery of a systemic, ongoing violation - on February 18, 2009 - will be the last. Nor does the Court share the govenunent's optimism that technical safeguards implemented to respond to one set of problems will fortuitously be effective against additional problems identified in the future. Moreover, even with regard to the particular forms of non-compliance that have been identified, there is reason to question whether the newly implemented safeguards will be effective. For example, as discussed above, the NSA reported on October 17, 2008, that it had deployed software modifications that would require analysts to specifically enable access to BR metadata when performing manual queries, but these modifications did not prevent hundreds of additional violations by analysts who inadvertently accessed BR metadata through queries using telephone identifiers that had not been RAS-approved. See supra pp. 9-1 O; Feb. 26, 2009 Al<;xander Declaration at 4. The Court additionally notes that, in a matter before another judge of the FISC, the mere existence of software solutions was not sufficient to ensure their efficacy:

TOP SECRET//COMINT#NOFORN//MR
16

1846 & 1862 PRODUCTION 5 MARCH 2009 -173-

TOP SECRET//COMINT//NOFORN//MR
''NSA's representations to the Court in the August 27, 2008, hearing did not explicitly account.for the possibility that system configuration errors (such as those discussed in the government's response to question 10 below) might render NSA's overcollection filters ineffective, which was the root cause for some of the non-compliance incidents."

Government's Response to the Court's Order of January 16, 2009, answer no. 8 at 13.
11

"Troubleshooting has since revealed that a software patch that might have prevented the [compliance incident] was not present on the recently deployed selection system." Id., answer no. 10 at 14. ''NSA further determined [in January 2009] that the overcollection filter had not been functioning since this site was activated on July 30, 2008." Id.

In light of what appear tobe systemic problems, this Court cannot accept the mere introduction of technological remedies as a demonstration that a problem is solved. More is required~ Thus, notwithstanding the rem_edial measures undertaken by the government, the Court believes that more is needed to protect the privacy of U.S. person information acquired and retained pursuant to the FISC orders issued in this matter. However, given the government's repeated representations that the collection of the BR metadata is vital to national security, and in light of the Court's prior determinations that, if the program is conducted in compliance with appropriate minimization procedures, such collection conforms with 50 U.S.C. 1861, the Court concludes it would not be prudent to order that the government's acquisition of the BR metadata cease at this

TOP SECRET//COMINT/f.NOFORN//MR. 17

1846 & 1862 PRODUCTION 5 MARCH 2009 -174-

TOP SECRET//COMINT//NOFORN//MR
time. However, except as authorized below, the Court will not permit the government to access the data collectyd until such time as the government is able to restore the Court's confidence that the government can and will comply with previously approved procedures for accessing such data. Accordingly, it is HEREBY ORDERED: 1. The NSA may continue to acquire all call detail records of "telephony metadata" created by in accordance with the orders entered in the above-

captioned docket on December 12, 2008; 2. The government is hereby prohibited from accessing BR metadata acquired pursuant to FISC orders in the above-captioned docket and its predecessors for any purpose except as described herein .. The data may be accessed for the purpose of ensuring data integrity and compliance with the Court's orders. Except as provided in paragraph 3, access to the BR metadata shall be limited to the team ofNSA data integrity analysts described in footnote 5 of the Declaration, and individuals directly involved in developing and testing any technological
- - -

measures designed to enable the NSA to comply with previously approved procedures for accessing such data; 3. The government may request through a motion that the Court authorize querying of the BR metadata for purposes of obtaining foreign intelligence on a case-by-case basis. However, if the government determines that immediate access is necessary to protect against an imminent threat to human life, the government may access the BR metadata for such.purpose. In

TOP SECRET//COMINTLJ.NOFORN//MR 18

1846

It

1862 PRODllCTION

!)

MARr.H

?nn~

-11~-

TOP SECRET//COMINT//NOFORN/!MR
each such case falling under this latter category, the government shall notify the Court of the access, in vvritil').g, no later than 5:00 p.m., Eastern Time on the next business day after such access. Any submJssion to the Court under this paragraph shall, at a minimum, specify the telephone identifier for which access is sought or was granted, provide the factual basis for the NSA's detennination that the reasonable articulable suspicion standard has been met with regard to that identifier, and, if the access has already.taken place, a statement of the immediate threat necessitating such access; 4. Upon completion of the government's end-to-end system engineering and process reviews, the government shall file a report with the Court, that shall, at a minimum, include: a. an affidavit by the Director of the FBI, and affidavits by any other official responsible for national security that the government deems appropriate, describing the value of the BR metadata to the national security of the United States and certifying that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities, and that such investigation of a U.S. person is not conducted solely on the basis of activities protected by the First Amend,ment; b. a description of the results of the NSA's end-to-end system engineering and process reviews, including any additional instances of non-compliance identified therefrom;
.
'

TOP SECRET//COMINT/.tNOFORN//MR

l9

1846 & 1862 PRODUCTION 5 MARCH 2009 -176-

. .:

TOP SECRET//COMINT//NOFORN//MR
c. a full discussion of the steps taken to remedy any additional non-compliance as well as the incidents described herein, and an affidavit attesting that any technological remedies have been tested and demonstrated to be successful; and d. the minimization and oversight procedures the govermnent proposes to employ should the Court decide to authorize the government's resumption of regular access to the BR metadata.

IT IS SO ORDERED, this 2nd day of March, 2009.

Judge, United States Foreign Intelligence Surveillance Court

.TOP SECRET//COM!NTifNOFORN/JM:R 20

1846 & 1862 PRODUCTION 5 MARCH 2009 -177-

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.
TOP SECRET//COMINT//NOFORN//MR ,_

UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE WASHINGTON, DC

c3tr~.lf 26

Pt1

]: <-..J ?':'.>

IN RE PRODUCTION OF TANGIBLE THINGS Docket Number: BR 08-13

NOTICE OF COMPLIANCE INCIDENTS (U)

The United States of America, pursuant to Rule lO(c) of the Foreign Intelligence Surveillance Court Rules of Procedure, advises the Court of the circumstances surrounding two compliance matters in docket number BR 08-13 and prior dockets in this matter. In support of this notice, the Government submits the attached Supplemental Declaration of Lt. General Keith B. Alexander, U.S. Army, Director of the National Security Agency (NSA) ("Supplemental Alexander Declaration"). (TS)
In response to the Court's Order of January 28, 2009, the Director of NSA ordered

end-to-end system engineering and process reviews (technical and operational) of NSA's handling of the call detail records collected pursuant to the Court's authorizations in this matter ("BR metadata"). See Declaration of Lt. General Keith B.

TOP SECRET//COMINT//NOFORN//MR

TOP SECRET//COMINT//NOFORN//MR

Alexander, U.S. Army, Director, National Security Agency, filed February 17, 2009, at 21 ("Alexander Declaration"). The Director also ordered an audit of all queries made of the BR metadata repository since November 1, 2008, to determine if any of the queries during that period were made using telephone identifiers for which NSA had not determined that a reasonable, articulable suspicion exists that they are associated with

as required by the Court's Primary Orders. 1 Id. at 2223. These reviews identified the following two matters where NSA did not handle the BR metadata in the manner authorized by the Court.2 (TS//SI//NF)

ueries Usin

. On February 19, 2009, NSA notified the National

Security Division (NSD) and the Office of the Director of National Intelligence that one
0

of its analytical tools (known as

) may have been used to query the BR

metadata and that such queries may have used non-RAS-approved telephone identifiers. Supp. Alexander Deel. at 5. According to the Supplemental Alexander Declaration, determined if a record of a telephone identifier was present in

NSA databases and, if so, provided analysts with certain information regarding the calling activity associated with that identifier. Id. at 3, 5-6. It did not provide analysts with the telephone identifiers that were in contact with the telephone identifier that

In this notice, the Government will refer to this standard as the "RAS standard" and telephone identifiers that satisfy the standard as "RAS-approved." (S)
1
2

NSD orally notified Court advisors of these two matters on February 20, 2009. (S)

TOP SECRET//COMINT//NOFORN//MR
2

TOP SECRET//COMINT//NOFORN//MR

served as a basis for the query. Id. at 3, 6. Although

could operate as a

stand-alone tool, it more often operated automatically in support of other analytic tools, namely , which is described more fully in the Supplemental

Alexander Declaration. Id. at 3, 5-7. Since the Court's initial Order in May 2006, would search the BR metadata and other NSA databases. Id. at 2-3, 5-6. (TS//SI//NF) According to the Supplemental Alexander Declaration, on February 18, 2009, NSA disabled portions of two analytic tools, often invoked confirmed that that most

query mechanism. Id. at 7. On February 19, 2009, NSA was querying the BR metadata without requiring RAS-

approval of the telephone identifiers used as query terms. Id. at 5. NSA then began to eliminate access to the BR metadata. Id. at 3. On February 20, 2009, NSA

restricted access to the BR metadata to permit only manual queries based on RASapproved telephone identifiers and to prevent any automated processes from accessing the BR metadata. Id. at 7, 9. NSA also blocked access to the historical files that were generated from automated queries. Id. at 7. Before re-instituting

automated processes that would access the BR metadata, NSA and NSD will determine that any proposed automated process will access the BR metadata in a manner that complies with the Court's Orders. Id. at 9-10. (TS//SI//NF)

TOP SECRET//COMINT//NOFORN//MR 3

TOP SECRET//COMINT//NOFORN//MR Improper Analyst Queries Since November 1, 2008. On February 20, 2009, NSA notified NSD that NSA's audit of queries since November 1, 2008 had identified three analysts who conducted chaining in the BR metadata using fourteen telephone identifiers that had not been RAS-approved before the queries. According to the Supplemental Alexander Declaration: One analyst conducted contact chaining queries on four non-RASapproved telephone identifiers on November 5, 2008; A second analyst conducted one contact chaining query on one non-RASapproved telephone identifier on November 18, 2008; and A third analyst conducted contact chaining queries on three non- RASapproved telephone identifiers on December 31, 2008; one non-RAS approved identifier on January 5, 2009; three non-RAS approved identifiers on January 15, 2009; and two non-RAS approved identifiers on January 22, 2009. Id. at 8. None of the telephone identifiers used as seeds was associated with a U.S. person or telephone identifier, and none of the improper queries resulted in intelligence reporting. Id. at 8-9. According to the Supplemental Alexander Declaration, at the time of the improper queries, the three analysts were conducting queries of telephone metadata other than the BR metadata, and each appears to have been unaware that they were conducting queries of the BR metadata. Id. at 9. (TS//SI//NF) TOP SECRET//COMINT//NOFORN//MR 4

TOP SECRET//COMINT//NOFORN//MR

As stated in the Alexander Declaration, NSA began designing a software fix to prevent the querying of the BR metadata with telephone identifiers that had not been RAS-approved. Alexander Deel. at 23-24. On February 20, 2009, NSA installed that software fix; as a result, no non-RAS-approved telephone identifier may be used to query the BR metadata. Supp. Alexander Deel. at 9. (TS//Sl//NF)

-- Remainder of page intentionally left blank --

TOP SECRET//COMINT//NOFORN//MR
5

(b)(6)

TOP SECRET//COMINT//NOFORN//MR

The Government acknowledges that in the above matters it did not handle the BR metadata in the manner authorized by the Court. These matters were identified as a result of the several oversight and investigative obligations that the Government voluntarily undertook as a result of the Court's Order of January 28, 2009. The Government also has implemented certain additional restrictions on the access to the BR metadata that are designed to prevent the recurrence of improper access to the BR metadata. Accordingly, the Government respectfully submits that the Court need not take any further remedial action. (TS//SI//NF)

Respectfully submitted,

Acting Section Chief, Oversight

Office of Intelligence National Security Division United States Department of Justice

TOP SECRET//COMINT//NOFORN//MR 6

TOP SECRET//COMINT//NOFORN//MR UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, D.C.

(TS) In Re Production of Tangible Things from

I) I
)

Docket No.: BR 08-13

SUPPLEMENTAL DECLARATION OF LIEUTENANT GENERAL KEITH B. ALEXANDER, UNITED STATES ARMY, DIRECTOR OF THE NATIONAL SECURITY AGENCY

(U) I, Lieutenant General Keith B. Alexander, depose and state as follows: (U) I am the Director of the National Security Agency ("NSA" or "Agency"), an intelligence agency within the Department of Defense ("DoD"), and have served in this position since 2005. I currently hold the rank of Lieutenant General in the United States Army and, concurrent with my current assignment as Director of the National Security Agency, I also serve as the Chief of the Central Security Service and as the Commander of the Joint Functional Component Command for Network Warfare. (U) The statements herein are based upon my personal knowledge, information provided to me by my subordinates in the course of my official duties, advice of counsel, and conclusions reached in accordance therewith.

Derived From: NSA/CSSM 1-52 Dated: 20070108 Declassify On: MR


TOP SECRET//COMINT//NOFORN//MR

TOP SECRET//COMINT//NOFORN//MR

I. (U) Purpose:

(TS//SI//NF) Pursuant to a series of Orders issued by the Court since May 2006, NSA has been receiving telephony metadata from telecommunications providers. NSA refers to
t~e

Orders collectively as the "Business Records Order" or "BR FISA." Among

other things, the Business Records Order requires NSA to determine that there is a reasonable articulable suspicion ("RAS") to believe that a telephone identifier that NSA wishes to use as a "seed" for accessing the BR FISA data is associated with

This supplemental declaration describes two compliance matters that NSA has discovered while implementing the corrective actions the Government described to the Court in the brief and declaration filed with the Court on 17 February 2009 regarding a compliance matter that the Department of Justice ("DoJ") first brought to the Court's attention on 15 January 2009. See, respectively, Memorandum of the United States in Response to Court's Order Dated January 28, 2009, ("DoJ Memo") and Declaration of Keith B. Alexander ("Alexander Declaration"), Docket BR 08-13.

II. (U) Incidents:


A. (U) Summary

(TS//SI//NF) During an end-to-end review ofNSA's technical infrastructure that I ordered in response to the compliance incident that DoJ reported to the Court on 15 January 2009, NSA personnel determined on 18 February 2009 that an NSA analytical tool known a was querying both E.O. 12333 and the Business Records

TOP SECRET//COMINT//NOFORN//MR
-2-

TOP SECRET//COMINT//NOFORN//MR data and that such queries would not have been limited to RAS approved telephone identifiers. As explained further b e l o w , - was automatically invoked to support certain types of analytical research. Specifically, to help analysts identify a phone number of interest. If an analyst conducted research supported b y - , the analyst would receive a generic notification that NSA's signals intelligence ("SIGINT") databases contained one or more references to the telephone identifier in which the analyst was interested; a count of how many times the identifier was present in SIGINT databases; the dates of the first and last call events associated with the identifier; a count of how many other unique telephone identifiers had direct contact with the identifier that was the subject of the analyst's research; the total number of calls made to or from the telephone identifier that was the subject of the analyst's research; the ratio of the count of total calls to the count of unique contacts; and the amount of time it took to process the analyst's query. did not return to the analyst the actual telephone identifier(s)

that were in contact with the telephone identifier that was the subject of the analyst's research and the analyst did not receive a listing of the individual NSA databases that were queried b y (TS//SI//NF) After identifying t h a t - was allowing non-RAS approved telephone identifiers to be used to conduct queries of the BR FISA metadata to generate the statistical information t h a t - returned to individual analysts, NSA personnel immediately began to eliminate ability to access the BR FISA data. As of

20 February 2009, no automated analytic process or analytical tool can access the telephony metadata NSA receives pursuant to the Business Records Order. Moreover, the system's change of 20 Feburary 2009 also prevents manual queries of the BRFISA TOP SECRET//COMINT//NOFORN//MR
-3-

TOP SECRET//COMINT//NOFORN//MR metadata unless NSA has determined that the telephone identifier that is being used to query the data has satisfied the RAS standard. (TS//SI//NF) In addition to the problem NSA identified r e g a r d i n g during a 100% audit of individual analyst queries of the BR FISA metadata, NSA personnel discovered that three analysts inadvertently accessed the Business Records data using fourteen different non-RAS approved selectors between 1November2008 and 23 January 2009. None of the improper queries resulted in any intelligence reporting and none of the identifiers were associated with a U.S. telephone identifier or U.S. person. The technical change NSA implemented on 20 February 2009 to correct the problem of automated BR FISA queries also included another software change that prevents manual queries against non-RAS approved identifiers. Thus, the 20 February 2009 system upgrades should prevent recurrences of the improper analyst queries that are also discussed in detail below.

B. (U) Details (S) Incident 1: -

(TS//SI//NF) As part of the response to the compliance problem described to the Court in my 17 February 2009 declaration, I ordered an examination "to ensure that NSA's technical infrastructure has not allowed, and will not allow, non-approved selectors to be used as seeds for contact chaining of the BR FISA

data." Alexander Declaration at 22. I also stated that NSA would "report to DoJ and the

TOP SECRET//COMINT//NOFORN//MR
-4-

TOP SECRET//COMINT//NOFORN//MR Court if this examination of the technical infrastructure reveals any incidents of improper querying of the BR FISA data repository.". Id. (TS//SI//NF) On 18 February 2009, NSA technical personnel notified NSA's Office of General Counsel that, as part of the review ofNSA's technical infrastructure that I ordered, they discovered that the use o f - may have resulted in queries of NSA's BR FISA data and that such queries would not have been limited to the use of RAS approved telephone identifiers. On 19 February 2009, NSA personnel confirmed that this was, in fact, the case. NSA informally notified DoJ and the Office of the Director of National Intelligence of this problem later that same day. (S//SI) As I stated above, NSA u s e s - t o support analytical research regarding telephone identifiers that are of intelligence interest to NSA's SIGINT personnel. determines if a telephone identifier is present in NSA data

repositories and also reports the level of calling activity associated with any particular telephone identifier. Although- can be used as a stand-alone tool, it is used more often as a background process in support of other NSA analytical tools. (S//SI)

TOP SECRET//COMINT//NOFORN//MR
- 5-

TOP SECRET//COMINT//NOFORN//MR

The results of the queries (the number of unique contacts found for each expanded

telephone identifier; the total number of calls made to or from the telephone identifier that served as the basis for the query; the ratio of total calls to unique calls; the date of the first call event recorded; the date of the last call event; and the amount of time it took to process the query) would be displayed to the analyst

~~~~~~~~~~~~~~

Although

~~~~

rro longer can access the

BR FISA data,

greatly assists analysts to choose selectively the best does not return

identifiers for further target development. As I stated above,

the telephone identifier(s) that were in contact with the telephone identifier that was the subject of the analyst's research. (TS//SV/NF) NSA has determined that the Agency had configured-to include the BR FISA data repository as one of the sources of SIGINT data that - q u e r i e d since the issuance of the first Business Records Order in May 2006.

TOP SECRET//COMINT//NOFORN//MR
-6-

TOP SECRET//COMINT//NOFORN//MR This configuration remained in place until NSA identified this problem on 18 February 2009. As noted previously,-did not tell individual analysts which SIGINT databases-was querying nor did the tool provide analysts with the actual telephone numbers that had been in direct contact with the identifiers that served as the basis f o r - queries. In other words, if an analyst wanted to construct a chain. of the contacts associated with an identifier that had been the subject of a

- q u e r y , the analyst was required to query the appropriate data repositories directly. For BR FISA data, this meant that only an analyst approved for access to BR FISA material could conduct such a query. (TS//SI//NF) Upon identification of this problem, NSA took immediate corrective actions. First, on the evening of 18 February 2009, NSA's Signals Intelligence Directorate disabled portions of two analytical tools used most often to invoke automatic query mechanism. Second, on the morning of 19 February 2009, NSA shut down-itself. Third, after conducting further examination of the problem, on the morning of20 February 2009, t.he Signals Intelligence Directorate installed a technical safeguard called Emphatic Access Restriction, which is the equivalent of a firewall that prevents any automated process or subroutine from accessing the BR FISA data. 2 Fourth, on the evening of Friday, 20 February 2009, NSA blocked access to the historical files that were generated from automated-queries.

(TS//SI//NF) This technical safeguard had been under development since mid-January 2009, following the initial discovery of compliance issues associated with the Business Records Order. The safeguard also prevents analysts from performing manual chaining on numbers that have not been marked as RAS approved.

TOP SECRET//COMINT//NOFORN//MR -7-

TOP SECRET//COMINT//NOFORN//MR (S) Incident 2: Improper Analyst Queries (TS//SI//NF) Among the other corrective actions described to the Court in the Government's filing on 17 February 2009, NSA also initiated an audit of all queries made of the BR FISA data between 1November2008 and 23 January 2009. See Alexander Declaration at 22-23. As part of this audit, NSA has identified additional instances of improper analyst queries of the BR FISA data. None of the improper queries resulted in any intelligence reporting and none of the identifiers were associated with a U.S. telephone number or person. (TS//SI//NF) Prior to 15 January 2009, audits of BR FISA queries were implemented as spot checks of analyst queries or would be limited to a single day's worth of queries. After one of these spot checks identified improper queries conducted by two analysts, the Agency decided to conduct a more comprehensive audit of all analysts queries of the BR FISA metadata conducted between 1November2008 to 23 January 2009. See Alexander Declaration at 22-23. When NSA oversight personnel completed the first round of this comprehensive audit, they discovered that three analysts were responsible for fourteen instances of improper querying of the BR FISA data. The fourteen seed identifiers did not meet RAS approval prior to the analysts' queries. The first analyst conducted one query on one non-RAS approved seed identifier on 18 November 2008. The second analyst chained on four different non-RAS approved seeds on 5 November 2008. The third analyst chained on three different non-RAS approved seeds on 31 December 2008; one non-RAS approved identifier on 5 January 2009; three different non-RAS approved identifiers on 15 January 2009; and two different non-RAS approved identifiers on 22 January 2009. None of the improper TOP SECRET//COMINT//NOFORN//MR

-8-

TOP SECRET//COMINT//NOFORN//MR queries resulted in any intelligence reporting and none of the identifiers were associated with a U.S. telephone identifier or U.S. person. (TS//SI//NF) Each of the analysts responsible for these improper queries did not realize they were conducting queries in the BR FISA data. This conclusion is based on an audit of other queries they were conducting at the same time as well as questioning of the analysts by NSA's Oversight and Compliance Office. Each analyst thought they were conducting queries of other repositories of telephony metadata that are not subject to the requirements of the Business Records Order.3 On 20 February 2009, software changes were made to ensure analysts could only access the BR data using this new version of the chaining tool. (TS//SI//NF) As the Government reported in its filing of 17 February 2009, NSA decided to design new software to prevent the querying of any telephone identifier within the BR FISA data unless the identifier has been RAS-approved. See Alexander Declaration at 23-24. On 20 February 2009, the software change NSA made to prevent automated tools from access the BR FISA metadata also prevents any non-RAS approved selector from being used as a seed for manual querying of the BR FISA data.

III. (U) Conclusion:


(TS//SI//NF) NSA's implementation of Emphatic Access Restriction should prevent recurrences of both types of compliance incidents that are the subject of this supplemental declaration to the Court. NSA's BR FISA data repository is currently only able to accept manual queries based on a RAS-approved telephone identifier. Prior to
3

(TS//SI//NF) At the time of the improper queries, each of these analysts were using dual screen computer equipment that provided the analysts with simultaneous access to BR FISA data and metadata that is not subject to the Business Records Order.

TOP SECRET//COMINT//NOFORN//MR

-9-

TOP SECRET//COMINT//NOFORN//MR reinstituting any automated process that would provide any sort of access to, or comparison against, the BR FISA data, NSA' s Office of General Counsel and the Department of Justice will review and approve the process. (TS//SI//NF) Notwithstanding implementation of Emphatic Access Restriction, NSA continues to examine its technical infrastructure to ensure that queries of BR FISA metadata are restricted to the use of RAS approved telephone identifiers. I expect that any further problems NSA personnel may identify with the infrastructure will be historical in nature. However, as indicated in my previous declaration to the Court, NSA will report any further problems Agency personnel may identify (whether current or historical) to both DoJ and the Court.

TOP SECRET//COMINT//NOFORN//MR
- 10 -

TOP SECRET//COMINT//NOFORN//MR

(U) I declare under penalty of perjury that the facts set forth above are true and correct.

Lieutenant General, U.S. Army Director, National Security Agency

TOP SECRET//COMINT//NOFORN//MR
- 11 -

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.

TOP SECRET//COMINT//NOFORN//MR
UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, D.C.

IN RE PRODUCTION OF TANGIBLE THINGS FROM Docket Number: BR 08-13

ORDER

On December 12, 2008, the Foreign Intelligence Surveillance Court ("FISC" or "Court") re-authorized the government to acquire the tangible things sought by the government in its application in the above-captioned docket ("BR 08-13"). Specifically, the Court orderedto produce, on an ongoing daily basis for the duration of the order, an electronic copy of all call detail records or "telephony metadata" created by BR 08-13, Primary Order at 4. The Court found reasonable grounds to believe that the tangible things sought are relevant to authorized investigations being conducted by the Federal Bureau of Investigation ("FBI") to protect against international terrorism, which investigations are not being conducted solely upon the basis of First Amendment protected activities, as required by 50 U.S.C. 1861(b)(2)(A) and (c)(l). Id. at 3. In making this finding, the Court relied on the

TOP SECRET//COMINT//NOFORN//MR
1

TOP SECRET//COMINT//NOFORN//MR
assertion of the National Security Agency ("NSA") that having access to the call detail records "is vital to NSA's counterterrorism intelligence mission" because "[t]he only effective means by which NSA analysts are able continuously to keep track of , and all affiliates of one of the aforementioned entities [who are taking steps to disguise and obscure their communications and identities], is to obtain and maintain an archive of metadata that will permit these tactics to be uncovered." BR 08-13, Application Exhibit A, Declaration o f Signals Intelligence Directorate Deputy Program Manager , NSA, filed Dec. 11, 2008 ( ' - Declaration") at 5. NSA also averred that [t]o be able to exploit metadata fully, the data must be collected in bulk .... The ability to accumulate a metadata archive and set it aside for carefully controlled searches and analysis will substantially increase NSA's ability to detect and identify members o

Id. at 5-6. Because the collection would result in NSA collecting call detail records pertaining to of telephone communications, including call detail records pertaining to communications of United States ("U.S.") persons located within the U.S. who are not the subject of any FBI investigation and whose metadata could not otherwise be legally captured in bulk, the government proposed stringent minimization procedures that strictly controlled the

TOP SECRET//COMINT//NOFORN//MR 2

TOP SECRET//COMINT//NOFORN//MR
acquisition, accessing, dissemination, and retention of these records by the NSA and the FBI.1 BR 08-13, Application at 12, 19-28. The Court's Primary Order directed the government to strictly adhere to these procedures, as required by 50 U.S.C. 186l(c)(l). Id. at 4-12. Among other things, the Court ordered that: access to the archived data shall occur only when NSA has identified a known telephone identifier for which, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable, articulable suspicion that the telephone identifier is associated
wit

; provided, however, that a telephone identifier believed to be used by a U.S. person shall not be re arded as associated withl solely on the basis of activities that are protected by the First Amendment to the Constitution. Id. at 8 (emphasis added). In response to a Preliminary Notice of Compliance Incident dated January 15, 2009, this Court ordered further briefing on the non-compliance incident to help the Court assess whether its Orders should be modified or rescinded; whether other remedial steps should be directed; and whether the Court should take action regarding persons responsible for any misrepresentations to the Court or violations of its Orders. Order Regarding Preliminary Notice of Compliance Incident Dated January 15, 2009, issued Jan. 28, 2009, at 2. The government timely filed its Memorandum in Response to the Court's Order on February 17, 2009. Memorandum of the United States In Response to the Court's Order Dated January 28, 2009 ("Feb. 17, 2009

The Court notes that the procedures set forth in the government's application and the Declaration are described in the government's application as "minimization procedures." BR 08-13, Application at 20.

TOP SECRET//COMINT//NOFORN//MR
3

TOP SECRET//COMINT//NOFORN//MR
Memorandum"). A. NSA's Unauthorized Use of the Alert List The government reported in the Feb. 17, 2009 Memorandum that, prior to the Court's initial authorization on May 24, 2006 (BR 06-05), the NSA had developed an "alert list process" to assist the NSA in prioritizing its review of the telephony metadata it received. Feb. 17, 2009 Memorandum at 8. Following the Court's initial authorization, the NSA revised this alert list process so that it compared the telephone identifiers on the alert list against incoming FISCauthorized Business Record metadata ("BR metadata") and SIGINT collection from other sources, and notified NSA' s counterterrorism organization if there was a match between an identifier on the alert list and an identifier in the incoming data. Feb. 17, 2009 Memorandum at 9-10. The revised NSA process limited any further analysis of such identifiers using the BR metadata to those telephone identifiers determined to have met the "reasonable articulable suspicion" standard (hereafter "RAS-approved identifiers") set forth above. Id. at 10-11. However, because the alert list included all identifiers (foreign and domestic) that were of interest to counterterrorism analysts who were charged with trackin most of the telephone identifiers compared against the incoming BR metadata were not RAS-approved. 2 Feb. 17, 2009 Memorandum at 10-11. Thus, since the earliest days of the FI SC-authorized collection of call-detail records by the NSA, the

As an example, the government reports that as of January 15, 2009, only 1,935 of the 17,835 identifiers on the alert list were RAS-approved. Feb.17, 2009 Memorandum at 11.

TOP SECRET//COMINT//NOFORN//MR
4

TOP SECRET//COMINT//NOFORN//MR
NSA has on a daily basis, accessed the BR metadata for purposes of comparing thousands of nonRAS approved telephone identifiers on its alert list against the BR ~etadata in order to identify any matches. Such access was prohibited by the governing minimization procedures under each of the relevant Court orders, as the government concedes in its submission. Feb. 17, 2009 Memorandum at 16. The government's submission suggests that its non-compliance with the Court's orders resulted from a belief by some personnel within the NSA that some of the Court's restrictions on access to the BR metadata applied only to "archived data," i.e., data residing within certain databases at the NSA. Feb. 17, 2009 Memorandum, Tab 1, Declaration of Lieutenant General Keith B. Alexander, United States Army, Director of the NSA ("Feb. 17, 2009 Alexander Declaration") at 10-11. That interpretation of the Court's Orders strains credulity. It is difficult to imagine why the Court would intend the applicability of the RAS requirement - a critical component of the procedures proposed by the government and adopted by the Court - to tum on whether or not the data being accessed has been "archived" by the NSA in a particular database at the time of the access. Indeed, to the extent that the NSA makes the decision about where to store incoming BR metadata and when the archiving occurs, such an illogical interpretation of the Court's Orders renders compliance with the RAS requirement merely optional. The NSA also suggests that the NSA OGC's approval of procedures allowing the use of non-RAS-approved identifiers on the alert list to query BR metadata not yet in the NSA's "archive" was not surprising, since the procedures were similar to those used in connection with

TOP SECRET//COMINT//NOFORN//MR 5

TOP SECRET//COMINT//NOFORN//MR
other NSA SIGINT collection activities. Feb 17, 2009 Alexander Declaration at 11, n.6. If this is the case, then the root of the non-compliance is not a terminological misunderstanding, but the NSA's decision to treat the accessing of all call detail records produced by no differently than other collections under separate NSA authorities, to which the Court-approved minimization procedures do not apply. B. Misrepresentations to the Court The government has compounded its non-compliance with the Court's orders by repeatedly submitting inaccurate descriptions of the alert list process to the FISC. Due to the volume of U.S. person data being collected pursuant to the Court's orders, the FISC's orders have all required that any renewal application include a report on the implementation of the Court's prior orders, including a description of the manner in which the NSA applied the minimization procedures set forth therein. See, e.g., BR 08-13, Primary Order at 12. In its report to the FISC accompanying its first renewal application that was filed on August 18, 2006, the government described the alert list process as follows: NSA has compiled through its continuous counter-terrorism analysis, a list of telephone numbers that constitutes an "alert list" of telephone numbers used by members of . This alert list serves as a body of telephone numbers employed to query the data ....

IS

evaluated to determine whether the information about it provided to NSA satisfies the reasonable articulable suspicion standard. If so, the foreign telephone number is placed on the alert list; if not, it is not placed on the alert list. The process set out above applies also to newly discovered domestic

TOP SECRET//COMINT//NOFORN//MR 6

TOP SECRET//COMINT//NOFORN//MR
telephone numbers considered for addition to the alert list, with the additional requirement that NSA's Office of General Counsel reviews these numbers and affirms that the telephone number is not the focus of the analysis based solely on activities that are protected by the First Amendment. ...

As of the last day of the reporting period addressed herein, NSA had included a total of 3980 telephone numbers on the alert list, which includes foreign numbers and domestic numbers, after concluding that each of the foreign telephone numbers satisfied the [RAS standard], and each of the domestic telephone numbers was ether a FISC approved number or in direct contact with a foreign seed that met those criteria.[ 3] To summarize the alert system: every day new contacts are automatically revealed with the 3980 telephone numbers contained on the alert list described above, which themselves are present on the alert list either because they satisfied the reasonable articulable suspicion standard, or because they are domestic numbers that were either a FISC approved number or in direct contact with a number that did so. These automated queries identify any new telephone contacts between the numbers on the alert list and any other number, except that domestic numbers do not alert on domestic-to-domestic contacts. NSA Report to the Foreign Intelligence Surveillance Court, Docket no. BR 06-05, filed Aug. 18, 2006 at 12-15 (emphasis added). This description was included in similar form in all subsequent reports to the Court, including the report submitted to this Court on December 11, 2008. Feb. 17, 2009 Memorandum at 13. The NSA attributes these material misrepresentations to the failure of those familiar with

The report further explained that identifiers within the second category of domestic numbers were not used as "seeds." NSA Report to the Foreign Intelligence Surveillance Court, Docket no. BR 06-05, filed Aug. 18, 2006 at 14. Moreover, rather than conducting daily queries of the RAS-approved foreign telephone identifier that originally contacted the domestic number, the domestic numbers were included in the alert list as "merely a quicker and more efficient way of achieving the same result.. .. " Id. at 14 n.6. In November 2006, the NSA reported that it ceased this activity on August 18, 2006. Feb. 17, 2009 Alexander Declaration at 7 n. l.

TOP SECRET//COMINT//NOFORN//MR 7

TOP SECRET//COMINT//NOFORN//MR
the program to correct inaccuracies in a draft of the report prepared in August 2006 by a managing attorney in the NSA's Office of General Counsel, despite his request that recipients of the draft "make sure everything I have siad (sic) is absolutely true.'>1 Feb. 17, 2009 Alexander Declaration at 16-17; see also id. at Exhibit D. Further, the NSA reports: it appears there was never a complete understanding among the key personnel who reviewed the report for the SIGINT Directorate and the Office of General Counsel regarding what each individual meant by the terminology used in the report. Once this initial misunderstanding occurred, the alert list description was never corrected since neither the SIGINT Directorate nor the Office of General Counsel realized there was a misunderstanding. As a result, NSA never revisited the description of the alert list that was included in the original report to the Court. Feb. 17, 2009 Alexander Declaration at 18. Finally, the NSA reports that "from a technical standpoint, there was no single person who had a complete technical understanding of the BR FISA system architecture. This probably also contributed to the inaccurate description of the alert list that NSA included in its BR FISA reports to the Court." Id. at 19. Regardless of what factors contributed to making these misrepresentations, the Court finds that the government's failure to ensure that responsible officials adequately understood the NSA' s alert list process, and to accurately report its implementation to the Court, has prevented,

The Court notes that at a hearing held on August 18, 2006, concerning the government's first renewal application (BR 06-08), the NSA's affiant testified as follows: THE COURT: All right. Now additionally, you have cause to be -well at least I received it yesterday - the first report following the May 24 order, which is a 90-day r e p o r t , - and some 18 pages and I've reviewed that and you affirm that that's the best report or true and accurate to the best of your knowledge and belief. : I do, sir. Transcript of Proceedings before the Hon. Malcolm J. Howard, U.S. FISC Judge, Docket No. BR 06-08, Aug. 18, 2006, at 12.

TOP SECRET//COMINT//NOFORN//MR 8

TOP SECRET//COMINT//NOFORN//MR
for more than two years, both the government and the FISC from taking steps to remedy daily violations of the minimization procedures set forth in FISC orders and designed to protect - c a l l detail records pertaining to telephone communications of U.S. persons located within the United States who are not the subject of any FBI investigation and whose call detail information could not otherwise have been legally captured in bulk. C. Other Non-Compliance Matters Unfortunately, the universe of compliance matters that have arisen under the Court's Orders for this business records collection extends beyond the events described above. On October 17, 2008, the government reported to the FISC that, after the FISC authorized the NSA to increase the number of analysts authorized to access the BR metadata to 85, the NSA trained those newly authorized analysts on Court-ordered procedures. Sixty-Day Report for Filing in Docket Number BR 08-08, filed Oct. 17, 2008 at 7. Despite this training, however, the NSA subsequently determined that 31 NSA analysts had queried the BR metadata during a five day period in April 2008 "without being aware they were doing so." Id. (emphasis added). As a result, the NSA analysts used 2,3 73 foreign telephone identifiers to query the BR metadata without first determining that the reasonable articulable suspicion standard had been satisfied.

Upon discovering this problem, the NSA undertook a number of remedial measures, including suspending the 31 analysts' access pending additional training, and modifying the NSA's tool for accessing the data so that analysts were required specifically to enable access to

TOP SECRET//COMINT//NOFORN//MR 9

TOP SECRET//COMINT//NOFORN//MR
the BR metadata and acknowledge such access. Id. at 8. Despite taking these corrective steps, on December 11, 2008, the government informed the FISC that one analyst had failed to install the modified access tool and, as a result, inadvertently queried the data using five identifiers for which NSA had not determined that the reasonable articulable suspicion standard was satisfied. Preliminary Notice of Compliance Incident, Docket no. BR 08-08, filed Dec. 11, 2008 at 2; see also Notice of Compliance Incident Involving Docket Number BR 08-08, filed Jan. 22, 2009. Then, on January 26, 2009, the government informed the Court that, from approximately December 10, 2008, to January 23, 2009, two NSA analysts had used 280 foreign telephone identifiers to query the BR metadata without determining that the Court's reasonable articulable suspicion standard had been satisfied. Notice of Compliance Incident, Docket No. BR 08-13, filed January 26, 2009 at 2. It appears that these queries were conducted despite full implementation of the above-referenced software modifications to the BR metadata access tool, as well as the NSA's additional training of its analysts.5 And, as noted below with regard to the NSA's routine use of the tool from May 2006 until February 18, 2009, the NSA

continues to uncover examples of systemic noncompliance. In summary, since January 15, 2009, it has finally come to light that the FISC's authorizations of this vast collection program have been premised on a flawed depiction of how

0n October 17, 2008, the government reported that all but four analysts who no longer required access to the BR metadata had completed the additional training and were provided access to the data. Sixty-Day Report for Filing in Docket Number BR 08-08, filed Oct. 17, 2008 at 8 n.6.

TOP SECRET//COMINT//NOFORN//MR 10

TOP SECRET//COMINT//NOFORN//MR
the NSA uses BR metadata. This misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government's submissions, and despite a government-devised and Court-mandated oversight regime. The minimization procedures proposed by the government in each successive application and approved and adopted as binding by the orders of the FISC have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively. D. Reassessment of BR Metadata Authorization In light of the foregoing, the Court returns to fundamental principles underlying its authorizations. In order to compel the production of tangible things to the government, the Court must find that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a U.S. person is not conducted solely on the basis of activities protected by the First Amendment. 50 U.S.C. 1861. The government's applications have all acknowledged that, of t h e - c a l l detail records NSA receives per day (currently o v e r - per day), the vast majority of individual records that are being sought pertain neither to

See,~'

BR 08-13, Application at 19-20. In other words,

TOP SECRET//COMINT//NOFORN//MR
11

TOP SECRET//COMINT//NOFORN//MR
nearly all of the call detail records collected pertain to communications of non-U.S. persons who are not the subject of an FBI investigation to obtain foreign intelligence information, are communications of U.S. persons who are not the subject of an FBI investigation to protect against international terrorism or clandestine intelligence activities, and are data that otherwise could not be legally captured in bulk by the government. Ordinarily, this alone would provide sufficient grounds for a FISC judge to deny the application. Nevertheless, the FISC has authorized the bulk collection of call detail records in this case based upon: ( 1) the government's explanation, under oath, of how the collection of and access to such data are necessary to analytical methods that are vital to the national security of the United States; and (2) minimization procedures that carefully restrict access to the BR metadata and include specific oversight requirements. Given the Executive Branch.'s responsibility for and expertise in determining how best to protect our national security, and in light of the scale of this bulk collection program, the Court must rely heavily on the government to monitor this program to ensure that it continues to be justified, in the view of those responsible for our national security, and that it is being implemented in a manner that protects the privacy interests of U.S. persons as required by applicable minimization procedures. To approve such a program, the Court must have every confidence that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court's orders. The Court no longer has such confidence.

TOP SECRET//COMINT//NOFORN//MR 12

TOP SECRET//COMINT//NOFORN//MR
With regard to the value of the BR metadata program, the government points to the 275 reports that the NSA has provided to the FBI identifying 2,549 telephone identifiers associated with the targets. Feb. 17, 2009 Alexander Declaration at 42. The government's submission also cites three examples in which the FBI opened three new preliminary investigations of persons in the U.S. based on tips from the BR metadata program. Id., FBI Feedback on Report, Exhibit J. However, the mere commencement of a preliminary investigation, by itself, does not seem particularly significant. Of course, if suc.h an investigation led to the identification of a previously unknown terrorist operative in the United States, the Court appreciates that it would be of immense value to the government. In any event, this program has been ongoing for nearly three years. The time has come for the government to describe to the Court how, based on the information collected and analyzed during that time, the value of the program to the nation's security justifies the continued collection and retention of massive quantities of U.S. person information. Turning to the government's implementation of the Court-ordered minimization procedures and oversight regime, the Court takes note of the remedial measures being undertaken by the government as described in its recent filings. In particular, the Court welcomes the Director of the NSA's decision to order "end-to-end system engineering and process reviews (technical and operational) ofNSA's handling" of BR metadata. Feb. 17, 2009 Alexander Declaration at 21. However, the Court is very disturbed to learn that this ongoing exercise has identified additional violations of the Court's orders, including the routine accessing of BR

TOP SECRET//COMINT//NOFORN//MR
13

TOP SECRET//COMINT//NOFORN//MR
metadata from May 2006 to February 18, 2009, through another NSA analytical tool known as using telephone identifiers that had not been determined to meet the reasonable articulable suspicion standard. BR 08-13, Notice of Compliance Incident, filed Feb. 26, 2009 ("Feb. 26, 2009 Notice"). In its last submission, the government describes technical measures implemented on February 20, 2009, designed to prevent any recurrences of the particular forms of noncompliance uncovered to date. This "technical safeguard" is intended to prevent "any automated process or subroutine," such a s - "from accessing the BR FISA data," and to prevent "analysts from performing manual chainingrJ on numbers that have not been marked as RAS approved." See Supplemental Declaration of Lieutenant General Keith B. Alexander, United States Army, Director ofNSA, filed Feb. 26, 2009 ("Feb. 26, 2009 Alexander Declaration") at 7
& n.2. On the strength of these measures, the government submits that "the Court need not take

any further remedial action." Feb. 26, 2009 Notice at 6. After considering these measures in the context of the historical record of non-compliance and in view of the Court's authority and responsibility to "determine [and] enforce compliance" with Court orders and Court-approved procedures, 50 U.S.C. 1803(i), the Court has concluded that further action is, in fact, necessary. The record before the Court strongly suggests that, from the inception of this FISA BR

In context, "chaining" appears to refer to the form of querying the BR metadata known as "contact chaining." See eclaration at 6.

TOP SECRET//COMINT//NOFORN//MR 14

TOP SECRET//COMINT//NOFORN//MR
program, the NSA's data accessing technologies and practices were never adequately designed to comply with the governing minimization procedures. From inception, the NSA employed two separate automated processes - the daily alert list and t h e - tool - that routinely involved queries based on telephone identifiers that were not RAS-approved. See supra pp. 4-6, 13-14. As for manual queries, the minimization procedures required analysts to use RASapproved identifiers whenever they accessed BR metadata, yet thousands of violations resulted from the use of identifiers that had not been RAS-approved by analysts who were not even aware that they were accessing BR metadata. See supra pp. 9-10. Moreover, it appears that the NSA- or at least those persons within the NSA with knowledge of the governing minimization procedures - are still in the process of determining how the NSA's own systems and personnel interact with the BR metadata. Under these circumstances, no one inside or outside of the NSA can represent with adequate certainty whether the NSA is complying with those procedures. In fact, the government acknowledges that, as of August 2006, "there was no single person who had a complete understanding of the BR FISA system architecture." Feb. 17, 2009 Alexander Declaration at 19. This situation evidently had not been remedied as of February 18, 2009, when "NSA personnel determined," only as a result of the "end-to-end review ofNSA's technical infrastructure" ordered by the Director of the NSA on January 15, 2009, that th tool accessed the BR metadata on

the basis of telephone identifiers that had not been RAS-approved. Feb. 26, 2009 Alexander Declaration at 2-3.

TOP SECRET//COMINT//NOFORN//MR 15

TOP SECRET//COMINT//NOFORN//MR
This end-to-end review has not been completed. Id. at 10. Nonetheless, the government submits that the technical safeguards implemented on February 20, 2009 "should prevent recurrences" of the identified forms of non-compliance, id. at 9 (emphasis added), and "expect[s] that any further problems NSA personnel may identify with the infrastructure will be historical," rather than current, id. at 10 (emphasis added). However, until this end-to-end review has been completed, the Court sees little reason to believe that the most recent discovery of a systemic, ongoing violation - on February 18, 2009 - will be the last. Nor does the Court share the government's optimism that technical safeguards implemented to respond to one set of problems will fortuitously be effective against additional problems identified in the future. Moreover, even with regard to the particular forms of non-compliance that have been identified, there is reason to question whether the newly implemented safeguards will be effective. For example, as discussed above, the NSA reported on October 17, 2008, that it had deployed software modifications that would require analysts to specifically enable access to BR metadata when performing manual queries, but these modifications did not prevent hundreds of additional violations by analysts who inadvertently accessed BR metadata through queries using telephone identifiers that had not been RAS-approved. See supra pp. 9-1 O; Feb. 26, 2009 Alexander Declaration at 4. The Court additionally notes that, in a matter before another judge of the FISC the mere existence of software solutions was not sufficient to ensure their efficacy:

TOP SECRET//COMINT//NOFORN//MR 16

TOP SECRET//COMINT//NOFORN//MR
"NSA's representations to the Court in the August 27, 2008, hearing did not explicitly account for the possibility that system configuration errors (such as those discussed in the government's response to question 10 below) might render NSA' s overcollection filters ineffective, which was the root cause for some of the non-compliance incidents." I Government's Response to the Court's Order of January 16, 2009, answer no. 8 at 13. "Troubleshooting has since revealed that a software patch that might have prevented the [compliance incident] was not present on the recently deployed selection system." Id., answer no. 10 at 14. "NSA further determined [in January 2009] that the overcollection filter had not been functioning since this site was activated on July 30, 2008." Id. In light of what appear to be systemic problems, this Court cannot accept the mere introduction of technological remedies as a demonstration that a problem is solved. More is required. Thus, notwithstanding the remedial measures undertaken by the government, the Court believes that more is needed to protect the privacy of U.S. person information acquired and retained pursuant to the FISC orders issued in this matter. However, given the government's repeated representations that the collection of the BR metadata is vital to national security, and in light of the Court's prior determinations that, if the program is conducted in compliance with appropriate minimization procedures, such collection conforms with 50 U.S.C. 1861, the Court concludes it would not be prudent to order that the government's acquisition of the BR metadata cease at this

TOP SECRET//COMINT//NOFORN//MR 17

TOP SECRET//COMINT//NOFORN//MR
time. However, except as authorized below, the Court will not permit the government to access the data collected until such time as the government is able to restore the Court's confidence that the government can and will comply with previously approved procedures for accessing such data. Accordingly, it is HEREBY ORDERED: 1. The NSA may continue to acquire all call detail records of "telephony metadata" created by in accordance with the orders entered in the above-

captioned docket on December 12, 2008; 2. The government is hereby prohibited from accessing BR metadata acquired pursuant to FISC orders in the above-captioned docket and its predecessors for any purpose except as described herein. The data may be accessed for the purpose of ensuring data integrity and compliance with the Court's orders. Except as provided in paragraph 3, access to the BR metadata shall be limited to the team ofNSA data integrity analysts described in footnote 5 of the Declaration, and individuals directly involved in developing and testing any technological

measures designed to enable the NSA to comply with previously approved procedures for accessing such data; 3. The government may request through a motion that the Court authorize querying of the BR metadata for purposes of obtaining foreign intelligence on a case-by-case basis. However, ifthe government determines that immediate access is necessary to protect against an imminent threat to human life, the government may access the BR metadata for such purpose. In

TOP SECRET//COMINT//NOFORN//MR 18

TOP SECRET//COMINT//NOFORN//MR
each such case falling under this latter category, the government shall notify the Court of the access, in writing, no later than 5:00 p.m., Eastern Time on the next business day after such access. Any submission to the Court under this paragraph shall, at a minimum, specify the telephone identifier for which access is sought or was granted, provide the factual basis for the NSA's determination that the reasonable articulable suspicion standard has been met with regard to that identifier, and, if the access has already.taken place, a statement of the immediate threat necessitating such access; 4. Upon completion of the government's end-to-end system engineering and process reviews, the government shall file a report with the Court, that shall, at a minimum, include: a. an affidavit by the Director of the FBI, and affidavits by any other official responsible for national security that the government deems appropriate, describing the value of the BR metadata to the national security of the United States and certifying that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities, and that such investigation of a U.S. person is not conducted solely on the basis of activities protected by the First Amendment; b. a description of the results of the NSA's end-to-end system engineering and process reviews, including any additional instances of non-compliance identified therefrom;

TOP SECRET//COMINT//NOFORN//MR l9

TOP SECRET//COMINT//NOFORN//MR
c. a full discussion of the steps taken to remedy any additional non-compliance as well as the incidents described herein, and an affidavit attesting that any technological remedies have been tested and demonstrated to be successful; and d. the minimization and oversight procedures the government proposes to employ should the Court decide to authorize the government's resumption ofregular access to the BR metadata.

IT IS SO ORDERED, this 2nd day of March, 2009.

Judge, United States Foreign Intelligence Surveillance Court

(b)(6)

TOP SECRET//COMINT//NOFORN//MR 20

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.
TOP SECRET//COMINT//NOFORN
UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, D.C.

IN RE APPLICATION OF THE FEDERAL BUREAU OF INVESTIGATION FOR AN ORDER REQUIRING THE PRODUCTION OF TANGIBLE THINGS FROM

DOCKET NO. BR 09-06

L
ORDER

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN
On May 29, 2009, this Court issued a Supplemental Order that addressed several issues. Among other things, the May 29 Supplemental Order noted the government's recent disclosure that the unminimized results of authorized queries

o-

metadata collected by the National Security Agency (NSA) pursuant to the Court's order in and prior FISC orders had been shared with NSA

analysts other than the limited number of analysts authorized to access such metadata. May 29 Supplemental Order at 1-2. Such sharing had not previously been disclosed to the Court. Id. at 2. The May 29 Supplemental Order also noted the government's disclosure of an inaccuracy regarding the number of
.,

reports described in paragraph 14 of the declaration

attached as Exhibit A to the application in The Court directed the government to submit, within 20 days, a declaration correcting the inaccuracy regarding the number of reports and to provide a complete and "updated description ofNSA's dissemination practices." May 29 Supplemental Order at 3-4.

TOP SECRET//COMINT//NOFORN

Page2

TOP SECRET//COMINT//NOFORN

On June 18, 2009, the United States submitted the Govemment's Response to the Courfs Supplemental Order Entered on May 29, 2009,

TOP SECRET//COMINT//NOFORN

Page 3

TOP SECRET//COMINT//NOFORN
Unfortunately, the government's responses to the Court's May 29 Supplemental Order also raise two additional compliance issues, but also its orders in the bulk business

records collection, which was last renewed by the Court in Docket No. BR 09-06.

TOP SECRET//COMINT//NOFORN

Page4

TOP SECRET//COMINT//NOFORN

Second, the government referred in its June 18 submissions to a dissemination-related problem that was first brought to the Court's attention in a "preliminary notice of compliance incident filed. with the Court on June 16, 2009." June 18

Declaration at 3 n.1. In the June

16 notice- and in a separate notice filed contemporaneously in Docket No. BR 09-06 -the government informed the Court that the unminimized results of some queries of metadata had been "uploaded [by NSA] into a database to which other intelligence agencies ... had access." Preliminary Notice of Compliance Incident filed June 16, 2009, in Docket No. BR 09-06 at 2. Providing such access, the government explained, may have resulted in the dissemination of U.S. person information in violation ofUSSID 18 and the more restrictive restrictions on dissemination proposed by the government and adopted by the Court in its current and prior orders in both of the above-captioned matters.

TOP SECRET//COMINT//NOFORN

Page 5

TOP SECRET//COMINT//NOFORN

; Preliminary Notice of Compliance Incident filed June 16, 2009, in Docket No. BR 09-06 at 2

The govermnent asserts that NSA terminated access by outside agencies to the database at issue on June 12, 2009, and that it is still investigating the matter. Preliminary Notice of Compliance Incident filed June 16, 2009, in Docket No. BR 09-06 at 2;

The Court is also seriously concerned regarding NSA's placement of


TOP SECRET//COMINT//NOFORN

Page6

TOP SECRET//COMINT//NOFORN

unminimized metadata

into databases accessible by

outside agencies, which, as the government has acknowledged, violates not only the Court's orders, but also NSA's minimization and dissemination procedures set forth in USSID 18. Accordingly, it is hereby ORDERED that:
1.

was

2. With regard to

BR 09-06, the government shall, by

5:00 p:m. each Friday, commencing on July 3, 2009,2 file with the Court a report listing each instance during the seven-day period ending the previous Friday in which NSA has shared, in any form,' information obtained or derived from t h e - BR metadata collections with anyone outside NSA. For each such instance, the government shall specify the date on which the information was shared, the recipient of the information, and the form in which the information
communicated(~.

written report, email, oral communication, etc.). For each such instance

in which U.S. person information has been shared, the Chief oflnformation Sharing ofNSA's Signals Intelligence Directorate shall certify that such official determined, prior to dissemination, the information to be related to counterterrorism information and necessary to understand the countertenorism information or to assess its importance; 3. With regard to
2

BR 09-06, the government shall

If Friday is a holiday, the report shall be submitted on the next business day.
TOP SECRET//COMINT//NOFORN

Page?

TOP SECRET//COMINT//NOFORN
include, in its submissions regarding the results of the end-to-end reviews, a full explanation of why the government has permitted the dissemination outside NSA of U.S. person infmmation without regard to whether such dissemination complied with the clear and acknowledged requirements for sharing U.S. person information derived from the metadata collected pursuant to the Court's orders.

!TIS SO ORDERED this))"t{iay of June, 2009,>.

,. / //
...;r/

B. WALTON Judge, United States Foreign Intelligence Surveillance Court

~a~

,,,,

TOP SECRET//COMINT//NOFORN

Page 8

(b)(6)

(b)(1); (b)(3); (b)(6)

TOP SECRET//COMINT//NOFORN

-3-

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.

Business Records FISA NSA Review


25 June 2009

(b)(3); (b)(6)

Prepared by: Business Records FISA Team Lead,

~/NF}

hnglementatfon of the Foreign Iill1ligencc SurveiHancc Court Aud:wrir.ed Business Records FISA - NSA Reviewv 25 ,June 2009

L flJ} Executive Summary (TS//Sl/iNF) The Business Records F!SA Compliance Review Team of the National Security /\gcncy (NSA), in response to instructions from the Director of NSA (DIRNSA) and as set out in DIRNSA 's Declaration of 13 February 2009 to the Foreign Intelligence Surveillance Court (F!SC), conducted a comprehensive systems engineering and process reviev,' of the instrurnentation and 1mplementation of the Business Records (BR) FISA authorization_ This review was focused along the t\vo major components where compliance issues had been reported --- system-level technical engineering and execution within the analytic workforce. (TS//SJ//NF) The review entailed 8 major system or process components of the BR FISA metadata workflow, 248 sub-components, and 93 requirements and resulted in 9 ne\v areas of concern based on past practices as described herein. NSA has taken steps, described herein, to remedy the problems identified, and to ensure to the extent possible they will not recur. NSA has also developed plans for both the cuncnt and future architecture to provide more rigorous and efficient protection, control and monitoring of the BR FISA mctadata. implementation of the envisioned changes in architectural design and oversight procedures briefly described in this report will help mitigate vulnerabilities and correct the problems identified through the rnurse of the end-to-end review. (C//REL TO USA, FVEY) The end-to-end review revealed that there was no single cause of the problems that occurred and, in fact, there were a number of successful oversight, management and technology processes in place that operated as designed. The problems NSA experienced stemmed from a basic Jack of shared understanding among the key mission, technology, legal and oversight stakeholders of the foll scope of the program to include its implementation and cndAo~cnd design. The complexity of the overall configuration, due in pmi to the intricacy of the system and the differing rules associated -...vith NSA 's various authorizations, was also a contributing factor as \Vas the fact that NSA oversight was primarily focused on analyst access to and use of the metadata. (TS//Sli/NF) This report, which assumes a basic kno1,vledge ofNSA's structure and some familiarity \Vith the FlSC documents and DIRNSA declarations associated \Vith the BR FISA program, addresses previously identified and newly uncovered areas of concern, as well as the corrective actions already taken, and those on-going or planned, to address these issues. lt details the scope of the cnd-to~end revic\-v, the methodology employed and the results. It also describes the minimization and oversight procedures NSA proposes to employ should the FlSC decide to approve NSA's resumption of previously authorized access to the BR F!SA mctadata, to include automated alerting and querying of the mctadata, as \Vcll as the autbority to establish \Vhether a telephony selector meets the Reasonable Articulable Suspicion ("RAS") standard for analysis (i.e., regular authorized access). Additionally, the report outiines the checks, balances and safeguards

enginccrctl into the systein; points to the need to clariJ)i existing language ln some cases; and describes enhanced training for the \Vorkf(lrcc that is designed to prevent future instances of non-c<;n1pliancc. Final!)', the report includes a sum1nary of a proposed technical nrchitccturc \vhich \\/ill further j}l"Otcct l1R FISA 1nctadata. (fS//Sl//NF) Jn conducting the cnd~to-cnd rcvic\v, NS1\ established a diverse tea1n of technical, legal and mission experts to cxa1nine joir,t!y the key functional areas of systc1n engineering, 111ission operations and oversight 'f'he NS;-\ tcan1 created an architectural diagra1n oftl1c end-to-end data and \Vorkf1ovv and cxa111ined each 111ajor system co1nponcnt and sub-cornponcnt to ensure a complete understanding of how the data \.Vas handled. In addition, NS/\ compiled all I3I{ FISA-rclatcd requirements and evaluated each systc1n and process cornponent against those requirc1ncnts to identify areas of concern or vulnerability.
(lJ//f"()lJC)) In rnovi11g t<.1r\vard, NS1\ \.viH not only address the specific technical and process issues identific(l in this report but \vill als<> implen1ent changes in its progran1 111anagcn1cnt C{Jnstruct to increase transparency and a\.varcncss among accountable parties anJJ establish an enduring vic\v of the full scope of the progra1n.
(lJ/.-'}:()lJ()J NSA 1nay produce additiz)nal supplen1ents tt) this report to the extent necessary to respond to additional ite1ns that n1ay be of interest to the court.

li. (U//f'OllO) Res11lts of J)etaiied ,\naiysis on Identified Areas of Concern


1\, (li//J<'OlJO) Previously Reported ('.ompliance issues
~. (lJ//,(,.~(}lJO)

l'elephony ,\ctivity lletection (Alerting) Process

{lJ) Description
(T'Si/S!i/Nl,') As previously described to the ('ourt, 1 NSA i1nplen1ented an activity dctectio11 (alerting) process 2 in a rnunncr that 1-vas not authorized by the Court's ()rder, and then inaccurately dcscribc(i thal process in its initial and each subsequent report to the C:'ourt NSA stated that only f{1\S~approvcd selectors vvere included on the Activity I)ctection l_,ist vvhcn, in fact, the list included those RAS-approved and 11011-RASappl\)VCd selectors~ \vhich vvcrc also tasked for content collection by counterterTorisn1 anal~ysts tracking and associated terrorist organizations or, subsequent to
1
2

(U//]'{)l)C)) See l)!H.NSA I)cclarati()J1 <l<Je<l !3 Februal)' 2009,

al

Sections Ifl.A. and lll ..8,

(U:'/f()lJ()) NS,'\ no\~ refers to the i"\lert Process and the 1\Jcrt List as the f.ctivity Detection Process and the i\ctivity ])etcction List to niore accurately describe their li.1nc1inns.

; CrS: /SL''N F) In mid-January 2009, there \Vere l, 935 R.1\S~approved and 15,900 non-R1\S~approved selcciors on the ;\ctivity I)c1ection List. 1\t tha1 1in1e. the Station lab!c (the reference database of all RA.S <:valuations) had approxin1atcly 27 .000 sclcc!ors identified as R1\S-approved and 63,000 selectors iJcrllified as non~R,\S-uppro\"cd.

(TS//Sl//NF) The Activity Detection List that was used prior to 24 January 2009 to alert analysts to a selector of potential interest was a list independent of the Station Table, the historic reference database of all RAS evaluations. The Activity Detection List was compared against the incoming BR FISA data to assist analysts in prioritizing their vvork. Some of the selectors on the Activ1ty Detection List had been RAS evaluated, and their status would have been reflected on the Station Table. Others had never been evaluated frn RAS and would not have appeared in the Station Table. ln this latter case, they \Vere treated as non-RAS~approved on the alert list \vhich meant that contact chaining did not take place in the complete body of archived data until and unless the particular selector had satisfied the RAS standard, (TS//S ii/NF) NSA 's description of this process to the Court reflected a similar process already in place frff the program, but NSA 's irnpicmcntatfon of the t\.VO processes was actually different Further, as described to the Court, the NSA personnel who designed the BR FISA Activity Detection List process believed that the requirement to sadsfy the RAS standard was only triggered when access was sought to N S/i., 's stored (i.e., "archi vcd'' in N SA pariancc) repository of BR FISA mctadata. The inaccurate characterization was identified in the course of a meeting bctv/ecn NSA and representatives from the National Security Division (NSD) of the Department of Justice (DoJ) on 9 January 2009. During discussions, DoJ identified what was ultimately detcrn1ined to be an incident of non-compliance with the Order. After additional inquiry, NSD/DoJ off!cially reported the incident to the FISC on 15 January 2009. (TS//S U/N F) Bct\veen 20 and 24 January 2009, the RAS-approved portion of the Station Table \Vas mistakenly implemented as the Activity Detection List in an attempt to address the original problems identified with the alerting process. At that time there \Vere approximately 27,000 selectors on this list, approximately 600 of which were designated as RAS~approved \.vithout having undergone NSA Office of General Counsel (OGC) re-vin:v as described in Section II.AA

{U) Remedial Steps


(TS//SI//NF) NSA completely shut down the Activity Detection Process against the BR FlSA mctadata on 24 January 2009 as a corrective measure.

2. (ll//FOUO) The
4

J\'Iechanism

(TS/iSf//NF) As of 8 August 2006, queries of the BR meiadata for telephone identifiers reasonably believed to be associated were permitted by the Court As of l 4 June 2007, the authorization expanded again to include queries of the BR mcta<laia for telephone identifiers reasonably believed (O he associated with associated terrorist organizations to inclnde-

(1.S//Sl//0ff;) As prC\'iously reported to the ('ourt, 5 from May 2(J06 to 18 F'ebruary 2(109, NS;\ intelligence anulysts Viho \Vere \Vorking counterterrorism targets l1ad access to a tool kno\Vn as~ \.Vhlch \Vas used to assist thcn1 in dctcn11ining whether or not a telephone ~f intcresl vvas present in NSA's 1nctadata repositories and, if so.

1vhat the lcv'c] of calling activity \Vas

f;)f

that selector. Bet\vcen these d a t e s , -

in turn, accessed the data present in the BR FISA mctadata repository to assist in

responding to these queslions~ is not a tool used fiJr contact cl1aining or . Itathcr. f\)r e<icii(jUCTY'Ola specific telephony selector, t h e tool returns the nu111ber of unique contacts, the nun1ber c1f calls n1adc, the dates of the first
and last call events recorded in NSA 's data repositories a11d the amount of1i111c it took to process the qucr)', It docs not return tl1c actual telephone identifiers in contact \Vith the selector that serves as the hasis fi)r the analyst's query. c l l l o u g l - can be used as a stand-alcinc tool. it is 111orc con11nonly invoked by other tools such as

(-rS//Sl//NF) ()n l 9 February 2009, NS1\. confir1ncd t h a t - pcrfOr1neci queries agains1 the I3i{ r~lSA 1nctadata repository using non~f.ZAS-approved selectors. It \Vas also confl1111c<l that analysts '\.Vho were ::<ot I3R FiSA~authorizcd inadvertently accessed BR FISA 1nctadata \Vithout realizing it as a result of accessing-. rrhe results returned fr{)J11 this tool did not identify to the user \Vhcthcr their results came fron1 Brt 1:rsA or frorn metadata co1lcct0d pursuant to NSA's authority to collect signals intelligence i11t(ln11ation under t:xceutivc ()rdcr (f-20) 12333, but rather co1nbincd thc1n into a cons<)lidated sum1nary,

('fS/iSfi'/Nf;') ()n 20 Fcl1ruary 2009, NSA re111oved the specific systc1n~lcvcl certificate (cry-ptologic authcnticatio11 f()r sofl\varc akin to a ticket used to confi11n the bearer is entitled to enter) that had allo\vcd the [3I{ FISi\-cnablcd Ito access the l~R Fl SA metadata chain repository_' ()ut of an abu11dancc of caution, NSA also 1r1ade soft\varc changes on 6 !vi arch 2009 V/hich rc111ovl,,'<l analvsts' ability to 1nanual1~y in\okc - b g a i n s 1 11R r~tS/\ 111ctadata. \Vl1ile- C()Ul(t still automatically be

(lJ.'/F()lJ()) See I)lRNSA Supplcinental I)eclaration dated 2S February 2009 <lt Section !Lt\. & IL

invoked via the Auto1natcd ("'haining Analysis 1'ool (i-\(_~/.,_"f'), 7 as stated, the revocation of the sysicn1 level certificate prevcntc(- fro1n accessing tl1e 3IZ J~ISA mcladata chaii1 rcposi1(}fy.

3. (IJ//I'OUO) lrnproper Analyst Queries

(crSJ/Sii/NF) Arnong the compliance issues previously reported to the C'.ourtg 1.vas NS.l\'s discovery that bcl\ve-cn l November 2008 and 23 January 2009, t11re-e analysts

ina{lvcrten!ly perfOrn1ed chaining \\/ithin t h e - f3R FIS,\ 1nctadata repository using !4 diffCrcnt telephone identifiers that did not n1cct IZAS approval prior to the query.
'fhe analysts did not realize they \Vere querying the BIZ f:rsA mctadata and none of the identifiers \Vas associated \Vith a lJS, telephone nurnber or person. Based on an audit of ot11cr queries the analysts v.rere conducting at the sa1nc tin1e, it appears each anal)1St thought he or sl1e \Vas conducting queries of other rei)ositories ofteler1hony tnctadata that arc not subject to the requirements of tl1c Business Records ()rdcr.

CfS//Sl//Nf') NS,t\ in1ple1ncntcd the f~1nphatic Access Restriction (I:AR) to cnst1rc that contact chaining in t h e - BR FlSA rep<>sitory is restricted to only th(JSC seeds that have hccn f-ZAS-approved support personnel have conducted tests to ensure the f~AfZ is functioning properly by monitoring 1nanual query input and output, evaluating individual and connected functions, as well as examining log files to ensure the results of inanual queries, noy.,- ivith the t:Af{ in place, produce the desired results. E:arlicr NSA had_ also introduced a saf-Cguard requiring tl1c analysts to acknowledge tJ-1at tl1cy \Vere about to access the f3R FISA 1nctadata to fu11hcr reduce tl1e potential f()r additional instances of non-compliance. I\1orc f(Jnnal ancl rigorous training also cn1phasizes the need fiJr caution \Vhen invoking their BIZ FiSA authority. NSA is in the process of finalizing the testing of a soil<.vare n1odification \vhich \vill restrict the analysts to chaining no 1norc than tl1rec hops fron1 a RAS-approved selector 1,vithin 1-3R FfS,.\ 1netadata reposit{}ry,

fS/iSli/NF) Internal audits of the activities ofNSr\ personnel autho1ized to query tl1c data under the 5 March 2009 order since 17 March 2009, 1.vhcn the (:{}Ult approved tl1c first batch of f3R Fl SA 111eta<lata selectors as 1nccti11g the JZAS standard, have sho\vn no further co111pliance issues.
0 (

4. ("rS//SJ//NF) ll.S. Identifiers Designated as R/\S-ApproYed without 0(-;C Revicvv


.ACAT
ii

(lJ,.iF(Jl)()} Sc~' i)l!ZNS.t.. Supple1ncntal ])cclaration dated 25 February 2009 at Scctiun 11.B.

(TS//SI//NI-~) f3ct\vccn 24 May 2006 and 2 February 2009, NSA designated approxin1ately J,000 lJ.S. selectors as RAS-approved on the Station 1ablc without undcrgoir,g the required ()(i('. approval. l'his set of numbers was derived ffom t\VO time perio(_1s: 1 January' 2005 to 23 May 2006 and 24 lv1ay 2006 t(.1111id-f)ecembcr 2008.

(rS/iSl//NF) Approxin1ately 60D U.S. selectors that had been tipped to Fl3I a11d C:IA bclvvccn t January 2005 and 23 May 2006 as having ties to kno\vn, or probable, tcn\)rist entities vverc <Kldcd to the Station '1'able after the BR f<'ISA ()rdcr \Vas issued in an cfl(Yrt to '~jun1pslart" t11c BR Fl SA operations. "f'hcsc 600 lLS. selectors did not undergo OGc::
1

rcv1e\v.
(TS//Sll!NF) Between 24 May 2006 and 6 May 2009, NSA issued 2779 BR F!SA-bascd reports, all of\vhich vvcrc based on contact c11aining ofIZAS-apriroved selectors. Included in t11csc reports vvcre tips to custon1ers (Ff~!, ('JA . NC: f(', and/or ()f)NJ) of LJ .S. tclc11t1onc nu111bcrs \Vhich had been in contact \Vith a R1\S-approved selector associated
0

\Vith

lor \VCfC Vlithl11

three h{)pS of a RAS-approved selector. For those reports issued bct\veen 24 May 2006 and rnid-i)cccn1her 2008, NSA took the additional step of designating as RAS~approved in the Statio11 'fahlc the subset of these <lon1cstic selectors that \Vere 1ippcd as having ties to known, or probable, terrorist cr1titics. t-fov/ever, these selectors did not undergo the required OG(~ rc\1 iC\V_ f'or this cn1lrc period (24 May 2006 to J 5 Decc1nber 2008), the total nu1nbcr oflJ,S. selectors added to the station table as RAS-approved, btJt \Vithou1 the (JG(~ rcvievv, was ap1Jroxiinatcly 2,400. 10 ('T'S//Sl//NF") At the time the R1\S-approved portion of the Station -rable \Vas 1nistakcnly in1plcmcnted as the Activity l)etectiort ljst in n1id-January 2009, as described in Section

'! (rS:iS!iiNF} -!'he nun1b<::r of repnrt<i included in the f)lRNSi\ f)ccl:iration of 13 February 2009 \V&s 275. '!'his \Vas based upon infrlrn1ai1on ga1hered on 6 February. Further rcvic>v has taken into account the litct that an addilinnal report \Vas issued after r, February, bu! before 13 February. Senne of these reports had been cancelled for various reasons and so1ne of the cancelled rcpPrts \Vere reissued 'Nith corrections_ 'l'hcrefi:1rc, the c1.inccl nun1ber of unique icports as of the 13 February 2009 declaration should have been 274. Sin,~e \hen, additional reports have been issued for a current 101al of 277 (as of 0 JV1ay 2009). -rhc l)eclaration also stated 1hat there \Vere 2.549 selectors tipped in these reports. -rhe ae1uai nuniber or seieclors lipped in the 274 reports is 2,88~.

H (fS;"Sli/NF) /-1.pproxiniatcly l 000 of !Lese selector~ fro1n th<:: post-23 May 2006 era \Vere reported to custoincrs as having only an indirect connection to knov,-n or probable terrorist sch:ctors. !t \Vas not NSA pnlicy to include this category of nutnbcr, in the Slntion 'fable ;-.,.s "lt6i.S-approved.. , l-!O\Vcver, an error \Vas rnade during a hulk upload to the Station '!"able of tipped nu1nhers on 9 Deccinbcr 2008 and these numbers v.'ere inadvertently included. '!'hey \Vere rrcsenl on the Station 'fable as Ri\S~approved until the entire set of 2.400 ll.S. selectors \Crc ~t R1\S-approved" on 15 I)ecen1her 2008 (six days later). /\n audit of !he ;\len sys1cn1, the -ys!en1 and the rransaction l)atabase shtTINCd that no chaining: in the f3R. FIS/\ n1etada1'1 \vas pcrfonncd on these nun1bers during this period.

'l()i' SE('RF!.i/CCJ!vli>J.J'i/URC\)N.
11

OFOR\l

ILA< 1., approximately 600 of the U.S. selectors from the Table had not undergone the required OGC rcvievI. Forty-six of these approximately 600 selectors generated alerts as a rcsuh of the actions described in Section U.A.1; hO\vcver, none of the resulting analysis based on these alerts yielded inforrnation that was subsequently tipped to customers. (TS/.iSL//NF) Designating these U.S. identifiers as RAS-approved vvithout the required OGC review grew out of a related practice that NSA applied briefly to its development of the Telephony Activity Detection List in 2006. Specifically, in its first periodic report to the Court as directed in the initial May 2006 Order, NSA stated that U.S. identifiers that had been reported to FBI and CIA prior to 24 May 2006 because of their direct contact with international terrorism selectors had also been added to the alert list, even though thev had not been oualificd as seed identifiers and had not been rcvicv.. ed bv OGC While J ' ., the initial report explained to the Court the NSA rationale for the bclicfthat these identifiers did not need to go through the full approval process to be included on the alert list, the November 2006 90-day report also stated that the practice had ceased as of 18 August 2006. Although the use of this process to add identifiers to the Alert List did cease on that date, NSA. failed to discontinue the process of adding selectors to the
1

Station Table.

(TS//SI/iNF) In early February 2009, all selectors that the OGC had not revie\vcd were changed to non-RAS-approved on the Station Tabk

R (tJ) Newly Identified Areas of Concern

L (S//NF)

Not Audited Prior to ,fanuary

2009
{U} Description (TS//Sl//NF) January 2009 discussions bct\vcen Oversi 1ht and Com the BR FISA-authorizcd analysts revealed that the NSA's repository for individual BR FJSA metadata one-hop chains, had not been audited, prompting fmihcr investigation as part of the end-to-end review. Prior to that time, NSA O&C was not fnvarc of its existence in the technical architecture and thcrefrm:: did not audit the database.
~~~~~~~~~~~~~_,

fU) Remedial Stegs TS//SI//NF) Between May 2006 and .January 2009 logging capability recorded all queries via the analyst graphical user interface
(TS/iS fi/NF} These were !he apprnximatdy 600 from the pre-FIS A era; tht' others had been changed to "not RAS-approved' in mid-December 200l( The failure to remove ihese approximately 600 numbers \Vas an oversight The 600 sdectors were changed to ''non-RAS-approved" on the Station lo.bk in early Fcbrn ary 2009.
11

to the data within t h e - to include the user's login, lntcrnet Protocol (IP} address, date and time, and retrieval request --- all fidds required by the OrdeL Analysts use the to verify the specific call event details bet\vecn two individuals -details such as which selector Initiated each call, \Vhcn the caH was initiated and hmv long the call lasted_ However, sometimes to verify the call details of a communication event the analyst uses the selector that was the first or second hop result as the retrieval request Because of this, the selector that \Vas the RAS-approved seed is not ahvays evident in the . In January 2009, NSA took steps to augment the information recorded in the system Jog to include the RAS-approved seed that the user was asserting to be within t\vo hops of the selector being queried. O&C began aw:.lifo1g queries to the database in February 2009. Since this enhanced auditing capability \Vas added, O&C has audited the BR FISA-authorizcd intelligence analysts' queries and found no evidence of improper queries. Although the suffered a system crash in September 2008, NSA was ultimately able to recover sufficient data to permit O&C to conduct sample audits of queries since the Order's inception. These sample audits revealed no unauthorized analysts conducted queries ugainst the BR FISA mctadata and no authorized analysts conducted improper queries of the rnetadata. (TS//Sl//NF} As the s outside architecture, it is currently not protected by the EAR, NSA \vill migrate:ys:m functionality into the corporate architecture to provide greater accountability and to help ensure compliance with the Court Order and any future requirements. Reconstituting this database \vithin the corporate architecture \vill ensure that it is established and supported on systems that use corporate authentication/authorization services, use system security and configuration management practices, are certified and accredited \vith approval to operate o~ an active System Security Plan (SSP), 17 and above all employ software measures that minimize compliance risk<

thc9!!

2. (TS//Sl//Nf) Data h1tcgrity Analysts} Use of BR FISA Metadata

(TS//S i//N F) As part of their Court-authorized function of ensuring BR metadata is properly fonnattcd for analysis, data integrity analysts seek to identify numbers in the BR mctadata that arc

integrity analysts had identified such


(U/FOUO) An SSP is a formal document describing ihe implemented protection measures frir the secure operation of a computer system.
11

would not only take steps to prevent the selectors becoming part of the analysis in the BR FISA context, but \vould also note them a, Iselectors in other NSA systems in order to similarly prevent them from being included in analysis conducted outside the BR FISA context. NSA detemiined that the data integrity analysts' practice of populating -numbers in NSA dat2bascs outside the BR FlSA databases had not been described to the Court

-I

-I

(TSi/Sli/NF) For example, NSA maintains a database, which is \Videly used by analysts and designed to hold identifiers, to include the types numbers reforenced above, that, based on an analytic judgment, should not be tasked to the SICHNT system, !nan eff(xt to help minimize the risk of making incorrect associations between telephony identifiers and tar >ets, the data intet,,'fity analysts ~d the BR mctadata small number o f BR metadata business numbers \Vere stored in a file that was accessible by the BR FISA-enahle(- a federated query tool that allowed approximately 200 analysts to obtain as much infonna_tion "as~ possible about a rrticular selector of int~e!cst._ Both I and the HR f ISA~ aUowcd analysts outside of those authorized by the Court to access the-lfllimber lists. The end-to-end revic\v has not identified any other systems that have been fed using numbers uncovered by the data integrity analysts from the BR FISA mctadata.

oflllll

(TS//SI//NF) Similarly, in January 2004 Ideveloped. a 'defeat list' process to identify and remov ~selectors deemed to be oflittlc analytic value and that ln bui!ding defeat lists, NSA selectors in data acquired pursuant to the BR FISA Order as \vcll as in data acquired pursuant to EO l 2333. When candidat Iselectors contained in the BR FlSA mctadata \Vere found to have a )btained approval from the data integrity analysts to allow those selectors, which come from BR Fl SA rnetadata, to be added to the defeat list. This resulted in all references to those selectors being removed from all of chain databases, to include the database containing and processing data acquired pursuant had also been sending all selectors on the to EO 12333. Since August 2008, defeat list to the

A notice i,,vas filed with the FISC on these issues on 8

(ll) Remedial Steps

-I
~

(TS/iSI//NF) On l May 2009, NSA dctennincd that the data integrity analysts' practice of ~ing burnbcrs i1 Iand using BR FISA-enablcd to access this database was an area of concern. NSA immediately began quarantining the BR-derived identifiers it . completing the action by 2 Mav 2009. Access to the file containirn.:: the small number of BR-derived . .
~-

10

identifiers by the f31{ Fl SA-enable(- \Vas shut off on 12 Iv1ay 2009, \vhen files crcatezl by lhc data integrity analysts \vcre-1noved t{} a protected vvork file systen1.

(TS//Sl/.il\lf') NSA dctt'f1nincd that only eight selectors ffon1 thc BR f~IS,t\ mctadata hJ\'C ever been added to th list. Starting in Novc1nber 2008 began to n1aintain sc arate dctcat llsts tor B!t I~JSA on 11 fvlay 2009 re1no\'ed the eight I3IZ FISA selectors tforn it dei'Cat list rhc BIZ F!SA def'Cat list \Vill no longer be shared until this issue is resolved.
ffS//Sl//Nf:) As t11c positive irnpacts that result in n1aking these numbers available 1<} analysts outside of those authorized by the C~ourt see1n to be in keeping \vith 1hc spirit <}f reducing unnecessary telepfH}ny collection and 1nini111izing the risk of111aklng i11correct associati{;ns between telephony identifiers and targets, NSA \.Vill work with DoJ to seek . ' i] ; to continue (',ourt approva: sue h pra.ct1ccs. -

3. (1'S//Si//N[.') llse of (:orrelatcd Sc~cctors to Query the BR l'ISA l\1etadata (U) Oescrlptlfill
(rS//SJ//NJ-~) T'hc end-to-end rcvic\v rcvcaled the fact that NSA's practice of using conclatcd selectors to query the ESR FiSA n1ctadata had not been fUlly dcscril;cd to the C~ourt. A con1munications address, or selector, is considt.1cd co1Telated \Vith other cornrnunications addresses \Vhcn each additional ad.dress is shov..'n to identifJ' the san1c con1111unicant{s) as the original address

111etadata routinely used to query the i1R I7 ISA 1nctadata \Vithout a separate RAS dctc1mination on each correlated selector. In ()ther \Vords, if there v-:as a successful R/\S dctcnnination n1adc on any one (}fthc selectors i11

(1"S//S!/iNF) NS1\ analysts authori;,ed to query the BR

t~ISA

..... F()l_J()) Sec 1\ppcndix L Cilossary orrenns. for expan;;ion and definition o f l l

ii

(TS//Sl/iNF) Although NSA obtainec lconclations from a variety of sources to include Intelligence Community reporting, the tool that the analysts authorized to query the BR FISA mctadata primarily used to obtain the co1Telations is called A description ofho\V I is used to correlate-====1 was included in the government's 18 August 2008 filing to the fl SA Comt \Vhilc NSA previously described to the FISC the practice of using correlated selectors as seeds, the FISC never addressed whethc Icorrelated selectors met the RAS standard \Vhen any one of the correlated selectors met the RAS standard. A notice 1,vas filed with the Fl SC on this issue on 15 June 2009.

(ll} Remedial Ste{!s (TS//Sl/iNF) T h e I~ a database that holds correlations between selectors of interest, to include results from was the primary means by '<.vhich correlated selectors \Vere used to query the BR flSA mctadata. On 6 February 2009, prior to the implementation of the EAR,Wcccss to BR FISA rnctadata \Vas disabled, preventin~I from providing automated correlation results to BR FtSA-authorizcd analysts. !n addition, the implementation of the EAR on 20 February ended the prncticc of trc~corrclations as RASapproved in manual queries conducted \.Vithin~ the EAR requires each selector to be individually RAS-approved prior to it being used to query the BR FISA Icorrelations as RAS-approved data. N SA ceased the practice of trcatin
within the Order. in conjunction with the March 2009 Court

4. (TS//Sl//NF) Handling BR FiSA l\fotadata {U) Description


(TS//Sli/NF) The results of the Homeland Security Analysis Center (HSAC) analysts' BR Fl SA metadata contact chaining queries have been routinely made available to the broader opulation of NSA analysts working I f"his sharing helps ensure that analysts with specific hxeign target expertise can apply the full scope of their knw,vkdge to the BR FIS A-generated information to identify all possible terrorist connections quickly and characterize them within the context of the target's known activities. With only 20 HSAC analysts approved to query the bulk BR Fl SA rnetadata and more than one thousand analysts working various aspects of the countcrterrorism mission enterprise-wide, fower than t\vo percent of countertcrrorism

anJlysts currently have the authoritv to access the f3l{ FiSA rnciadata. 'I'hus, the collcciivc experience of the 131< I:lS.!\-authorizcd analysts represents a small fraction of NSA S overall expertise on countcrtcrrorism targc1s. C~'f target analysts beyon(i the small nu1nbcr currently authorized to query the f3l<. 1-''lS/\ n1ctadata arc responsible fbr analyzing the data in the context of'SlCJtN'f infi:im1ation and \vr!ting reports; this practice o:n1tinucd under the structure in1posed hs the March Court ()rders. NSA believed sucl1 internal sharing {}f the results of it~ analysis (as distinct ffon1 the bulk n1etadata itself) \Vas consistent \Vith the (,'ourt's Orders, but had not included a dcscri tion of it to the (~ourt in its periodic reports pri()r lo May 2009
0

(-rS//Sl//NF) In ach1ition, the c:ourt C)rdcrs prior to 2 Marclt 2(!09 state t11at "anyproccssing by technical personnel of the BR 1netadata acquired pursuant to this ()rder shall be conducted through the NSA's private nctviork, which shall be accessible only via select n1achincs and only to cleared technical personnel, using secured cncr)''pted co1111nunications." rhc end-to-end rcvicV/ revealed that the \Vay in \Vhich NSA protects the data is not precisely as stated in the ('.ourt ()rdcr; ho\.vever \VC believe NSA's iinplernentation is consistent \\'ith the intent of preventing unauthorized users tf-0111 accessing the (la ta, r:or cxan1plc, there are not specifically designated or "select" 111achincs ifo111 \vl1ich technical personnel access and process the data on NSA 's private, secure r1ctvvork. '1'hc internal NS;\ comn1unications paths on its classified netvvorks arc 15 not encrypted, but arc subject to strong physical and security access controls \Vhich provide the necessary protections. (rS/iS!//NF) 1'hc end-to-end revie>v also revealed that data integrity analysts, in order to
conduct t}1cir authorized duties, pull sa1nplcs of rav.1 f3R metadata into their private directories on the NSA nct\vork, \Vhich they access via usernan1c and passvvortl, to analyze the 111ctaLlata in order to develop UC\V parsing rules or prepare satnplcs ft1r spc1t checks. 'rhe private directories offCrcd the1n a \Vorkspacc to analyze the n1etadata using tools and applications that they could not invoke in th While these private directories could be ir1tcri)rcted to be an additional data repository to the t\Vt alread)' Llcscribcd to the (~ourt, the 8}{ f;lSA da!a is not accu1nulated as in a true database repository. 'l'hc data integrity analysts are authorized to access tl1c data, a11d any i111portation to their O\Vn S)iStcn1s \Vas dclcte<l \V]1en no longer needed.

(rS/iS!//NF) Additionally, the revie\\' uncovered that data integrity analysts, in conducting their authorizeci duties. copied data into tv,'o shared directories created f()r
15 (rS-'.:'Sl/iNF) T'he NS;\ c11n1plex is it Sc1sitive cornpartn1cntcd lnl'onna!ion Facility (SC'lF) that is an accredited installation. incorporating stf('llg physical and security access control n1casures (barriers, locks, a!arn1 syste111s, anned guards), to \~-hich only authorized personnel are granted acccs~. ~lithin NS1\, only approved users of NSi\NEr can gain acces~ to the nctv,r,-ffk through login and pass\vord. ()nee on the fl(,>(\vork, th~ user can only access ihc l~R Fl SA. n1ctadata if addi1ional access control~ specifically allo\v such accc~s. 1\cccss to particular da1a sel" is granted based on nccd~!o~knov,r and is verified ,.-ia Public Key lnfrao>tructurc (PK!).

13

\'1tNT'"0R(\)N

OF\)R'\

restricted infimm1tion \vith a controlled user set These shared directories also offorcd access to similar tools and applica!ions as mentioned above. NS/',,_ learned that roughly 170 personnel \Vho at one time had been cleared for sensitive mctadata programs had access to files on this server. Approximatdy 15% of these personnel 'Were system administrators or data integrity analysts; the remainder included intelligence analysts, rnanagers and engineers. \Vhilc it was possible for the files to he accessed by any of these personnel, it is unlikely that anyone other than data integrity analysts "vould have done so since it would have been outside the scope of their duties.
{U} Rcrncdi:d Stcgs
(TS//Sl//NFtA notice was filed with the FlSC on the matter of sharing results of queries within NS/\ as it relates to the BR FlSA Order on 12 June 2009. While NSA believes the ability of BR F!SA-authorizcd analysts to share unminimized query results \Vi th the broader population of NSA ana!ysrs \vorking is critical to the success of its countcrtcrrorism efforts, cffoctive 18 June 2009 NSA began the process of limitin r ' ~ "l authorized analvsts. - h e Court explicitly authorized the continuation of internal sharing of the results of authorized queries \vi th NSA analysts other than the limited number authorized to access the bulk metadata, provided all analysts receiving such results receive appropriate and adequate training. The government anticipates seeking the BR FISA context.

lin

(TS//SI//NF) Regarding !he handling of mctadata by technical personnel. NSA implemented additional access controls using UNIX group access control vvhich assured that only the data integrity analysts were in the "group" which could access this data, and is providing appropriate protected storage areas fi.n the data integrity analysts' work files. With regard to the manner in which NSA secures the BR FISA mctadata, NSA will work 1,0vith DoJ to more accurately reflect in any future application to the Court the cmTcnt method of providing protection. Instead of accessing the data via select machines using secured encrypted communications, NSA provides protection through the use of the secure nctvvork; use of NSA's identity and authorization access control service; and other NSA corporate standard data protc'Ction services.
5. (TS//SWNF) System Dcvcfope.r Access to BR FISA Metadata vvhile Testing Ncvr Tools

(lJ) Desgiption
(TS//SI//NF) In its revicv,1 of all tools and interfaces that allO\vcd access to BR FISA rnetadata, NSA detern1ined that developers assigned to v,rork - a next ocncrntion metadata anal 1 sis 'rnphical user interface (GUI) which is the replacement fix had queried BR FlSA metadata chaining summaries 20 times during the course of their testing between 26 September 2008 and l l February 2009, This access occurred due to the dual responsibilities of the

14

individuals involved, The developers o. also have maintenance responsibilities for the operational system, is warranted on a continual basis. While the actions v.,1ere in keeping \Vith the Court Orders that were in place at the time of the queries, access to the BR mctadata -v,ras unintentional and unknmvn to the developers at the time.

(lJ} Remedial Stegs


(TS//SI//NF) \Vhen this issue surfaced, NSA implemented a software change on 19 March 2009 to prevent t h e - - GUI from accessing BR F!SA rnetadata regardless of the user's access level or the RAS status of the selector. NSA also implemented an Oi/ersight process \Vhereby all BR FISA~autborizcd technical personnel who have both maintenance and development responsibilities have their accesses to BR FISA metadata revoked when involved in new systems development. This process will ensure no inadve1icnt access to the data until such time as these technical personnel receive OGC authorization to access BR flSA mctadata to test technological measures designed to enable compliance \Nith the Court Order. The NSA O&C is notified each time anyone's pcnnission to access the BR FISA mctadata is changed and tracks these changes for compliance purposes.

6, (TS//SWNF) Provider A_sserts That Foreign-to- Foreign Meta.data \Vas Provided Pursuant to Business Records Court Order
(lJ) Description

(TS/iS!//NF) NSA's mission clement which obtains the BR FISA metadata from the providers, reported during the end-to-end rcvic\v t h a . I raised a question concerning whether certain foreign-to-foreign rnetadata it rovidcs to NSA is subect to the tenns of the BR FISA O r d e r - This foreign-to-foreign rnctadata stmied coming into NSA in January 2007.

{ll} Remedial Steps


roviding NSA with fiJreign-to-forcign rnctadata

The Court is no\v a\varc of this issue, and the Court's 29 May Order specifically excludes from its scope the afr)rementioned f(}reign-to-fr1fcign mcta<lata. The provider ceased providing this mctadata on the same day as the Order was signed. NSA is coordinating with the provider and the NSD/DoJ to resolve this mattec

7. (TS//Sl//NF) llr!intcntim1al Omission of OGC Revieiv of U.S. Identifiers

S l.C R FT./( '(l\l

15

(lJ} ])cscriptio11

("f'S//S!//NF) lt \Vas recently discovered that during the June through ()ct<>bcr 2006 ti1ncffarnc, in the process of i1nplc:ncnting the initial Bil F'ISA ()rders, a few domestic nun1bcrs were designated as RAS approved and chained \.Vithout ()(JC: approval d11c to con1pound anal~yst errors, "rhesc errors occurred \vhcn analysts inadvertently selected the inco1Tect op!ion in a (}lJL 'fhc correct option \Vould have designated the do1nestic identifier as needing ()(JC' a11provzL cfhc incorrect 011tion put the don1cstic selector into a large list of foreign selectors \Vhich did not need ()(f(_'. approval as pa1i of the f<AS approval process. In those cases \vhcrc the tion1cland ~Aission C'oordinator (!--IMC~) failed to flt)ticc the do1ncstic nun1hcr in the !argc list of foreign selectors and the IlAS justiflcation was apr1rovcd, the nu1nber \vas chained. NS"'\. continues to investigate this matter, 11ut, based on avai!ablc records, NSA 's initial estimate is this occu1Ted fC\ver than ten times. NSA \Vili provide addit:onal inf()r1nation as appropriate. A 11(Jticc \.vas f1lcd \Vith the fJJSC: On this iSSl.lC Ol1 2Q JUflC 2009.

{U} Ren1ediai Steps ("f'S//S!//NF') I-~ach ti1nc an error \Vas identified through quality control, senior I,IMC~s provided additional guidance and training, as appropriate. Continued training and 1nanagcment crvcrsight, in particular \vhen ne""' analysts arrived, helped ensure such errors \Vere nt)t rcpcattx.L 8. (l'S//SI//NF) .iLxternal i\ccess to Unmi11imized Results
(lJ) l)escriQtion
I~R

!<'ISA I\'Ietadata Query

("rS//Sl//Nf;) In exa1nining NS;\ 's practice of sharing I3Il FIS/\. n1etadata query results internally vvitb other NSr\ analysts \vorking authorized . NSA learned ofC:IA, FI3l, and NC~T'C' analyst access to unn1inirnizcd l:JR. F'ISA tnctadata-dcrivcd query results and target knovvledge inf()rn1ati(H1 via an NS,\ countcrtcn\.)risn1 database. 1his 111attcr, just rccent!y identit1cd, \Vas a collaboration practice that \.Vas in r;lacc prior to the inception of the BR FISA (_'.ourt Or(h;:r. ()\'Cf time, approxin'1atcl; 200 anal:ysts at ('IA, FBI, and NC'l'C: had been granted access to this target knO\."ilcdgc base. \"./hen the t3R progrmn vvas brought ltndcr the jurisdicti{)fl of the FIS;\ (~ourt, this practice \Vas not n1odificd to confonn \Vith the Or<ier' s requirc111cnts for the disscn1ination of BIZ F'ISi\ 1nctadata-dcrivcd query results outside (JfNS/\. A notice \Vas filed \Vith the F'ISC: on this n1atter on 16 June 2009.
1

{lJ) Remedial Steps


frSi/Sl//NF) While NS/\. disabled the h.yperlink button used hy' the external analysts to access this target kno\.vlcdge database in the Surnrncr 2008 ti111cframe, NS1\ teamed that the external analvsts could !v:ivi,,:: still accessed the data if thcv retained the \JIZL. address.
" "

16

Upon identifying this as an area of concern on 1 l June 2009, NSA began terminating external customer account access to the target kno\vlc<lgc database, completing the action by 12 June 2009. NSA is continuing to investigate this matter; audits are mnv underway to determine the extent to which the query results may have been accessed. Once completed, NSA will provide a full explanation of this practice.

9o (TS//SI//NF) Dissemination of BR FISA lnformatfon {U} Description


(TS//Sl//NF) When an NSA analyst determines that information identifying a U.S. person is critical to include in a metadata report, he or she is required to obtain dissemination authorization from the designated NSA approving office in accordance \Vtth the Court's Order. Specifically, the order requires that prior to disseminating any U.S. person inforn1ation outside of the NSA, the Chief oflnfonnation Sharing Services must <lctenninc that the inf~)nnation is related to counte1icmnism inf(xmation and is necessary to understand the information or to assess its importance. ln fact, the Chief of lnfonnation Sharing Services, \Vhen unavailable, has in the past delegated this authority, typica!ly to the Deputy Chief Additionally, after hours or in an emergency situation, this authority has a!so been delegated to NSA 's Senior Operations Officer (SOO) in its National Security Operations Center (NSOC). (TS//SI//NF) The practice of sharin r BR FISA metadata analytic results also applied to }roccss v.foch was established to facilitate sharin ~of sensitive mctadata among NSA 's ucries, called Requests for Infonnation (RFJs), submitted to vcre disseminated to all the partners fix response. Only those RFis that the ietem1ined vvere answcrab!c by NSA \Vere fonvarded to the HSAC HSAC queries in response to the RF!s were only performed against valid RAS-approved selectors. ThcWtandard operating procedure \.Vas to minimize HSAC's results and then merge them with the results of with any sourcing infmmation sanitized. Of the l 2 RF Is sent to !-iSAC from the ct\veen 2007 and 2008, HSAC affirmatively responded to only four. The in tum, rovided the results of one 16 of these RFis, in a sanitized ilxmat, back to the equcstor. While the query results \Vere sanitized to remove information regarding the collection source, it \vas recently discovered that t\vo lLS. telephony identifiers derived from BR FISA metadata anal sis results \Vere inadvertent! , shared without being minimized by NSA, with the 7 As it was not Wractice to disseminate unminimized LLS. person information, obtaining dissemination authorization from the designated NSA approving office was not part of their process,
{lJ) Remedial
S~

11 '

(Ui/FOUO) 'fhc RFl response is not a sub~ct of the 277 reports discussed earlier in Section ll.A.4_

1iiiiiiiiiiiiiliiiiiiiiiiiiiiiiiiiiiim
17

g_('(lN/NCJFORN

(TS/iSI//NF) NSA is currently conducting a review of any BR FISA mctadata~dcrived reports that contained U.S. person identifying int(mnation to determine consistency \vith the Court's Ordec Once this is completed, the results w-ill be provided.

UL

ll//FOliO NSA's End-to-end BR FJSA Revievr

A. (lJ) Scope (TS//SI//NF) NSA established a team of experts to conduct a thorough end-to-end systems engineering and process review of the BR FISA mctadata \.VOrkflow. The team reviewed 93 rcuuircments extracted from the March 2009 BR FISA Court Order, App!ication and Declaration; dataflow diagrams; and system documentation (to include systems engineering and security plans) to ensure a complete understanding of hmv the requirements \Vere being met prior to 2 March 2009, hmv well they arc currently being met, and what changes may be needed to ensure compliance, The team then used these requirements as a basis to examine six key aspects (systems architecture, analyst work flow, management control, compliance auditing, oversight, and training) of NSA 's handling of BR FISA mctadata, and to establish a comprehensive plan to ensure that all requirements arc addressed and properly implemented,
. J -

(TS//Sl//NF) Another critical step in preparing to conduct the end-to-end revic\v \Vas to identify and map hO\v all the system components fit together. Lack o~',such end-to-end 8 mvareness contributed to the problems initially reported to the Fl SC. ' The systems/processes rcvievv'Cd vvere:

2.
repository for individual BR FISA mctadata one-hop chains 5. the Telephony Activity Detection (Alerting) Process 6. the Reasonable Articulable Suspicion (RAS) Approval Process 7. the BR FlSA Analytic Tools and Processes 8. the BR flSA Analyst Decision and Reporting Process.

rn (U//FOUO) See Declaration of the Director of the National Security Agency (DIRNSAJ dated 13 February 2009.

18

(rS//Sl//NF) rhe interaction of these S)-''Stcrns and processes can be su1nmarir:ed as f{)lhl\VS (see F'igures 1 and 2):

datal1ascs arc accessible to HlZ I'!S/\-authorized intclhgencc analysts_ rncse analysts also use the f{)l]o1,.ving processes: the .c4ctivi(v J)cfection (Alerting) !)roces:,', the J{/L) f1pproval l)roccss, the 13!?. f'l5:4 Anafytic ll:;ofs/f>roce.Yscs, and the J?R 1,15/1 /.fnttl)1st J)ccision/lfc1;ottin:;; 1-)roccss to identify-, query, analyze and ultin1atcly cl.isst,>tninate inf(>rn1ation derived from the 1netadata. 'l'hcsc eight co1nponents, part of a large and co1nplcx systc1n, arc further described ir1 Section IILC~. and pictured in f'igurcs J ~ l (/. r:igure 1 provides a top-level vievv of the overall architectural systein, Figure 2 highlights the eight components, \.Vhilc Fig1trcs 3~ l 0 highlight each of the ir1dividual coinponcnts in greater detail. f'.:ach cornponent is reflected \vith corresp(l11ding colors in the diagran1s. fS//Sl//NF) In concert \Vith this systen1s enginecri11g cnd~to-cnd rcvievv', NSA conducted a thorough rcviev,r of its analytic p~ocesses, rnanagcn1cnt controls, auditing 111ccf;anisms, oversight and training fi)r the I3il FISA tnctadata handling. 'fhis included a thorough exan1in<1iion {)f eJcl1 activity, tOf>l and analytic process to assure that it operated in co111p1iance \.Vith the c:ottrt ()r(ler. r11c rcvic\v Jed to several additional audits to ensure that no coinpliancc incidents had occurred and to cxan1inc vvhcthcr or not the individuals \Vho \Vorkcd v.1 ith the BI-<. F!Sr\ n1ctadata fully understood the a1)plicablc authority and li111itations. Docurnentation and training V..'ere also UJ)datcd. !-~ach part of the review cotnpared t}1c con1poncnt or process being rcvicv.red \vith the relevant requirc1nc11t fron1 the list extracted froin the c:ou1i docu111cnts,
0 (

crS/iSi//NF) NSA 's systc1ns engineering and vvorkf!O\V rcvicv.. s surveyed tl1c processes and t(lOls as they existed bcfcH\.c any rcn1edics \Vere i1nplcmcntcd, T'his retrospective evaluation enablc(l NS/\ to develop the near-tt.'fn1 corrcctivc incasurl.>s nt->cessary f(lr cunc111 c:ourt-ap1)rovcd operations and potential resumption of regular access to the BR -FIS/\ mctadata should it be authorized by the Court, It also inf()n11ed plans f()r incorporating tl1e I3R FIS/\ flov,1 ir,to the NSA future architecture more cffCctivcJy_
1

ll. (lJ) Methodology: ('fS//Sl/.iNF) NS/\ e1nployed a repeatable and \Vc11-documcntcd process in conducting its cnd*to~cnd rcvie\V. NS,\ derived technical rcquiren1ents fron1 the legal rcquirc1nents governing f3R f:JS,\ mctadata handling. /\s noted, NSA si1nultancously began to develop an end-to-end s:ystcn1s engineering diagra111 of the systems and databases that support f5.R processing and storage. NS1\ also developed and conducted Initial Privacy Assess1ncnts (!P As) \Vhich include a standard S(;t of questions used to dctenni11c, an1ong other things, \Vhether the systen1 or J'rocess under rcviev.' interacts \vith data that could contain infc1rn1ation about LJ.S. persons. crhc outco1ne of the IP"\ dctcm1incs \vhcther a n1orc in-

19

depth Pri\ aC)' linpact Asscsstncnt (I}lA) 19 is required to fully explore the extc11t of interaction and \Vl1cthcr any privacy con1pliancc concerns exist ,/\n IPA \Vas con!Jucied for any systcn1 or process identified as potcntia!ly part of the BR F"lSA 111ctadata cnd-tocnd data f1ov-i. r:or those systcrns confirrncd to be ln contact vvith I-3R r:isA 1nctadata via the IPA, a PJA V/J.S pcrfon11cd. rh:; results of the IP As and PlAs \Vere then co111parcd against the c:(}Urt-dcrived requircn1cnts to dctenninc the level to 1,vhich each requirc1ncnt \Vas satisficcL For any systcn1 or process f(,r \Vhich there \Vas concern, f-~S1\ is developing \vcll~docu1ncntcd, fully-tested corrective solutions should the (~ourt decide to allow NSA to rcsu!nc its regular access.
1

C (ll) Results:
l. (U/IFOUO)

("fS//SI/iNF) Except fctr the provider issue identified in Section 1Lf3.6, NS;\ identified no receipt or handling of the BI{ l7 lSA metadata

2. (U//FOUO)

('rS//S!//NF

I NSA's corporate file fonvardl11g service, providcs f{)r

distribution of the Bl{ FISA n1etadata fl-01n the collection source to the analytic repositories, It accepts files from s1)urccs and transpo1is those files to the end dcstinati{)J1S identified in the filcna111e given to t11c file by the sot1rcc system.

(C:i/REl, 1\) l)S.t\, l\t[\') 'fhc IP ;\/PL\ fiamc\vork provided a \Vay tOr the P..gency to assess con1pliancc risk. rhis fra1ncvvork \\as not us..;d to c;uperscdc any (:ourt-dcrived requircn1cnt>i. Both the IPi\ and PJA tcrnplatcs \Vere based on l)epartincnt off)cfCnsc (lJoI)), f)oJ or I!on1eland Security Privacy 1\sses~incnt franJc\vnrks and then adjusted frir the S!Ci!NT Cn\'ironinent. V/hilc IP As and Pl As are not required for the lnt.:!ligcnec ('on1n1unily, they provided a sound n1c1hodology f{1r the systein:' engineering end-to-end
i<J

fCViC\V.

20

TOP SH:RFT/ 1(\)!vilNT!/ORCON!NOHJRN

(TS//SI//NF) is configured to allow dataflows and system accesses by technical personnel to be monitored and logged. The system has security employs security controls that are documented across multiple SSPs. access contrnls1 such as PKJ, to verify users and their system level access and likewise employs file transfor controls20 to verify file transfer access, file source and file destination. The system also employs a stringent configuration management methodology such that software changes cannot be implenwnted without the required testing and approval.
3. (lJ//FOUO)

(TS//Sf//NF) NSA's corporate contact chaining system, accepts metadata from multiple sources. ft accepts the BR FISA metadata files from stores the raw metadata in a separate realm, performs data quality, preparation and sorting functions; and then summarizes contacts represented in the processed data. stores the resulting contact chains and provides analysts with access to these contact chains.

(TS//S II/NF) The portion of the end-to-end review demonstrated that the system is now providing the necessary protection of the BR FISA metadata while it is in the domain given the added protection provided by the implementation of
the EAR and the removal of the system level certificates has always employed other access controls, system security and configuration management practices fbr ensuring appropriate protection of the BR FISA metadata residing in its database and accessed by authorized analysts. They include~ but arc not limited to~ a fully certified and accredited system under a System Security Plan and efiectivc use of corporate authentication and authorization service. (TS//Sil/NF) As stated earlier, NSA installed the EAR on 20 February 2009 in response 21 to a compliance issue previously reported to the Court. Prior to the EAR, NSA was relying on analytic due diligence to qm' .. f y - with only RASapproved selectors. The EAR, via internal software systcn1 controls, now ensures that manual contact chaining is restricted to only those seeds that have been RAS-approved by the Court by preventing a no~ dector from being used as a seed for conducting call c h a i n i n g - ) f t h e BR FISA metadata in the repository. In addition, NSA removed the system level certificate that had been used by automated tools to access the BR FISA metadata. ln so doing, NSA disabled all automated querying of the BR PISA mctadata. Access to the BR FISA mctadata chaining infrJrmation in is strictly controlled via individual user access authentication/permission and this access is logged in accordance with the cun-ent BR FJSA Court Order.

?.;

(Ui/FOUO) See DJRNSA Supplemental Declaration dated 25 February 2009.

.J\)P SECRE'l!C()MlNT/iCH\CONiNCff().RN

21

E~AI< had an unintentional 3Jverse i1npact on the technical support n1ission ofNSA's l3R F!SA~authorizcd data integrity analysis. I)rior to the ad(_iition oftl1e I-2/\.f{, these ana;ysts frequently querie c:ontact C:hair1ing f)al<Jbase f(}r the Iin1itcxl purpose of verifying their parsing rules (a n1cth{>d for separating data into standardized dala fields). At1alysts ccnnposed these rules flJr I-3R FISA inctadata to dctennine \-Vhcthcr the systc1n output represented accurate connections betv,reen conununicants. ln so doing, the data integrity analysts qucr1e using both R/1.S and non-RAS~approvcd selectors, as tl1ey \Vere authorized to <l<L T'his type ofqucrying is especially in1portant \vhen a new data fo1mat is received fio1n one of the providers. ()nee the EA!-( \-Vas put in place, these analysts could only query the datah::isc using a RAS-approved selector. rhis di1ninishcs their abilit)' to test and evaluate thelr parsing rules, NS.r\ is finalizing testing of a technical solution to create an t~:_A!Z-hy-pass capability solely fOr the data integrity ica11L 'f'hc existing impaired ability of the data integrity analysts is assessed as a syste1n pcrf(:;nnance vulnerability, as it could result in i1nproperly f(}mlattc(i data.

("rS//Sl//Nf?) rti_c h11plc1ncnta1ion of the

('f'S/SI//NF) While the f'.AI.Z restricts the ability to query t h e - C'ontact (:haini1lg f)a1abasc to 011ty !ZAS~approvcd seeds, there is no sin1ilar technical restriction to prevent a BR FISA~authorized analyst fro1n cl1aining beyond the ('.{}Uli-rnandatcd three hops fron1 a R/\S-approved selector< NS/\ is tlnaiizing testing of a softi.:varc modification to provide tl1is contact-chaining hop restriction. In t11c mcan!in1e, training and inanagc;ncnt o\rcrsight ensure that contact chaini11g is executed in accordance \Vith the c:ourt Or(lcr.

(TS//Sl/NF) crhc cnd-to-CD{i rcv-icw also identified the fact tha I i11corporatcd a dcfCat list including Bit F!SA-dcri\.rcd selectors to 1nanage data ingest i,.rolu1ncs rnore cffCctivcly'. rhc inclusiot1 ofI~R FJSA-deri\'Cd sc!ectors on this list is described i11orc fully in Section ILFJ.2.
4. (U//FOUO)

is used by authorized 13R FIS1\ (TS/!Sl!/NF anal)- sts to vicvv detailed data about spcciftc calling events. As the c:on1act C'.haining f)atabasc only contains s-.in1marics of one-hop chains (i.e., selector 1 \Vas in contact \1vith selector 2 - N ti1ncs \Vithin a specific tiineframe),
1

('fS/iSI//NF) rf'hc er1d-to-cnd rcvicv./ revealed an area of concern resulting fro111 the fi1ct that queries \Vithin the ad not been attditcd, as described in Section ILB. J, .A.s previous!)' noted, subscqucni audits sho\vcd no in<iication of unat1thorizc<l access to the eta data or of any iinpropcr queryit1g of t h e -

22

(']"S//Sl//NF) 'T'he rcvic\V also identified other systern vvcakncsses. First, lnsufficicnt docun1cntati(H1 and contlguration 1nanagen1cnt (the ability to track versions) exist to ensure that 11(} unauthorized or unintended changes can be made that \Votild tnakc the s 1 stcn1 non-coin lianL Second, although it is attac}1cd lz) the net\vork, the ls not afforded the additional protection of although access to the database is strictly controllecl 1'hird, the is not protected by the f~AR, thus there are no technical 1ncasurcs in place to prevent a BlZ F!SA-approved. anaiyst fron1 querying the mctadata using a non-fZAS~apfJrovcd selector or one that is not \.vithin tv./o hops o-J.' a RAS-apJ)ft}vcd selector. 'fo prevent iinpropcr n1anual queries ofn1ctadatausing non-C:ourt-approvcd selectors, NSA has provided enhanced training to authorized analysts and is conducting regular audits of queries. /\dditiona!ly, analysts using sec a pop-up \.Vindow re1ninding thcn1 to use only I\.AS-approved selectors fi:1r quc1ics and li1nit their chaining to tl1e c:ourt-approved number of hops. frS//SI//NI"') NSA is preparing to incorporate the into the NS.L\ corporate architecture. Tl1is transition to the corporate engineering fia1ncv,rork vvill 1naximize usc of the latest technologies and proven configuration 111a11agorneni to minin1izc any security and co1npliancc risks, ln the intcri1n, NSA is uddrcssing these vulnerabilities through in1provcd training, co1npetcncy testing and increased managcrncnt oversight

5. (tJ//f"O{J()) -relcphony ,\ctivity Detection_ (,i-\iertin.g) Process


('TS//S_!/iNF-) -rhe Activity IJctccticn (,'\Jcrting) Process identified when a selector on the Activity [)ctcction L,lst \Vas i11 contact v,rith an inco111ing number in a gi\'Cn day's BR n1etatiata \vhen that contact originated or tenninated in the lJ .S. 'fhis notiflcation, in tun1, allo\VetI analysts to prioritize their folhJ\V-on analysis. If the J{,l\S standard \Vas n1ct on the sclcct(tf, the systcin pcrt<Jnncd auto111atcd contact chaining in the E~I{ f~!SA 1netadata archive to idct1tif:y and track tctTorist operatives and their support nel\vorks both in the lJ.S. und abroad. If not, a notitlcatfon \vas made to NSA personnel so that they coultl detcm1inc Vihcther to attcinpt to satisf)' the Ri\S standard, \vhich ;,vould then allov,' such co11tact c11ainir1g to take place n1anually.

(-rS//SJ//NF) As noted in Section !l .1\. l .. the 1\ctivitv Detection L3st consisted of


telephony selectors that had been fZAS evaluated as \Vell as selectors that had never been R/\S evaluated. 'fhe original Activity Detection I~ist was built frorn t\vo sources; one \Vas called the "i\.ddrcss Database," \vhich >vas a master target database offiJrcign and domestic telephone identifiers that Vicrc of current f()reig11 intelligence interest to countertcrrorisn1 personnel. 'fhe second source ' 0 / a - 1 \Vhich \Vas an<l continues to be a dttabasc NS/\ uses as a selection n1anagcment SJ'Ste1n to inanagc and task identifiers for SIGINr collt;ction. ()ne of the features is that it is enriched \'<'ith correlations oftclephon)r identifiers associated \\'ith nu1nbers 1asked to the S!CJIN-r systc1n. 'l'his cnrich1nent is enabled by , >vhich is a

of-

23

d.atabasc used to store eo1Tclations bct\0'cen selectors

('rS//Sl//NI,') cfhe 'fclcr;hon)' i\ctivity l)etcction Process is not currently operational as the result of the co1nphancc issue previously reportccl to the f?ISC' 22 an.d as described in Section I!.A.1 of this rcp{}rt. NSr'\ shut dcnvn the Activity Dctectio11 Process entirely on 24 January 2009 as a corrective 1ncasurc. (Of note, under t11c prior in1plcn1cntation bcfi:.>re contact chaining could take place in the co1nplctc body of archived metadata and bcfi:)rc any results of such analysis \Vere dissc1ninated, the alc1iing selector had to satisfy the H.AS standar(I and he approved explicitly as having do11c so.) 'fhis process vvas thoroughly cxan1incd in the course of the end-to-end reviev,r and consequently a revised in1plcn1t.:ntation, as described in Section'\/,;\., has been propose<! should the (~ourt ai1prove rcsuinption of regular access.

60 (TS/IS!//NF) RAS Approval Process


'fhe R,1\S Approval Process is the n1cchanisn1 by vihich an analyst inust !1e able to a1iiculate so1nc fict or set of facts that causes hi111 or her to suspect in light of the totality of the circu1nstanccs that a partic1dar nun1ber is associated \Vi th before he or she 1nay use a telephone nuinbcr or electronic identifier as a seed to query the 131~ Fi SA 1nctadata,
("f'Si/Sl//NJ~)

(1'S///Sl//NF:) 'J'hc Rl\S i\pproval Process in place until 2 T\1arch 2009 (t11c date of the rJSC' ()rder) incorporat<;(l a con1bination of docun1cntcd guidance and \Vcll-undcrstood procedures as out!incd in the ()(J(~ RAS Mcn10 and the analytic office's f(/\S Working Aid. I)uring the three years that DoJ has rcvicvved NSA I-<.AS approvals, no spot check has revealed a faulty I{J\S approval decision.

7. ('I'S//Sl//Nf) BR

l'~IS/;,_

An_alytic 'I'oois and Processes

(I'SiiS!i/NF) 'fhe Elf{ FIS;\ 'l'ools >Vere designed to analyze the ra\V f3R FIS/\ n1etadata as \Ve]] as tl1c (IUtput of analytics such a s - co11tact chai11ing, Analysts used these tools against t}1e E{I{ r:1sA 1netadata and chaining results to identify possible tcnorist con1111unications into, fi:oin and \Vi!hin the lJS. CrS//Sli/NF) T\vo instances of concern related to the analyi:ic tools anci processes used by the 31-t !"."ISA-authorized intelligence analysts \Vere idcntiflcd through the cnd-to~cnd rcvic\'i" and arc described in Sections ILi\..2< and lLB,3. l'hcsc tools and processes, \vhich /ere designed to fln1ction against both the BR FISA 1nctadata and other catcg(Hics of tc!cph<)DJ' n1ctadata that NSA acqu:res through SIGlN'I' operations authorized under the general prtvisions of E() 12333, \V~rc used prin1arily by' analysts \Vi thin NS,\ 's Office of ('ountcrtcrrorisn1 to identify possible terrorist connections into, flT11n, and \Vithin the l_j,S,, as \Ve11 as forcign~to~fi1reign co1n1nunications. 1\vclvc of the 19 analytic tools cxan1ined
(lJ'.-F(JlJ(I) Sec JJJRNSA. I)cc!aration dated J 3 Febrt1ary 2009

24

\Vere developed undcr-systcn1s architecture and arc \Vcll~d{)CU111e11tcd, configuration-controll~hc other seven f~l{ FISi\ analytic tools exarr1incd \Vere developed in vvholc or in part by engineers vvorking in the (:ountcrtcrrorisrr1 ()rgo11ization to 1ncct constantly changing n1ission rcquircinents, resulting in li!nited configurati(1Il and change 1nanagcrncnt control. 1\ll seven of these tools v.cre either 1nonitorcd tbrougl1 existing()&(: audits or vlerc subjected to DC\V audits and/or rcvie1vs as pa1i of the cndMto-cnd rcvicv.. \Vith the exception ~nd (JLJI, none of these tools arc currently able to access the BR F'ISA

of-

1nctactatn.
(1'S//Sl//NI7) 10 1nitigatc risk in the future, NSA \Vill tran.sition the BR FIS,4. analytic tools and processes to the corporate t-JSA enterprise architecture and will no longer cfC\iC]op tools \Vithin the ()ffi.cc of(.'ountcrtcrroris1n. C:'ompletc end~to-cnd testing will be conducted f()f all tools against a standard set of BR F'ISA requircn1cnts to ensure the)' arc fUlly compliant J)rior to resumption of auton1ated operations if authorized by the c:ourt.

8. (U//f'OUO} Analyst Decision and Reportin.g Process


'T'he Analyst t)eeisior and Reporting i)rocess cnco1n1)aSSCS the target kno\Nlcdge. guidelines and procedures that enable intelligence analysts to detcr1r1ine \V}1at inJ(Jr1nation n1ccts custoincr rcquirGrncnts. It also involves the evaluation and 1nini1nizatic1n procedures intelligence a11aiysts c1nploy when analyzing data and drafting and dissen1inating reports,
crs//SI//~lF.)

('I'Si/Sli/NF) I'rior to the alert list shutdo\vn on 24 January 2009. the BR FJSA analyst decision and reporting \vork flo'i.v began v.hen an }fSAC: analyst \Vas notlfied {ff a match bct1vecrt a kno\vn selector of count;::-rte1Tor!sm interest and an identifier in the i11gcste(l I3R r:1sA rnetadata, 1vhen an analyst received an RF! fro1n a customer, or \Vhen an analyst \Vas continuing analysis on an existing target scL Aside fro1n the activity deteclit)n Est, the process remains the san1c today on selectors that arc specifically approved in accordance \Vith the C~uurt's ()rdcrs. ifNSA has reason to believe tl1e inf()rmation constitutes valid threat-related acti\'ity, NSA applies lJSSff) 18 to mini1nize infi:.H1nation concerning lJ.S. persons and then reports the infi:)rmation to the FfSI, CI/\, Nc:rc: and ()DNI, and other custorncrs, as appropriate. (1-Si/Sli/NF) NS/\ revic1,ve{l its anulytic \Vorkflo\V to en.sure the Bf~ FISA n1ctaztata '.vas appropriatcly handled, analyzed and disseminated. crhrcc ne\V areas of COOCCCT1, discussed in Section ILf3, \Vere idc11tiflcd \viti1 the Bf{ FISA i\na!ysis f)ccision and Rcpo1iing 23 Process in addition to that \Vhich \VHS previously (lcscribcd to the c:ourt and discussed in. Sccti<)n rI.1\.
1

1 -'

(LJ /FC)lJ()} Sec Supp!cni.cntal l)l!ZNS/\ !)eclaralion dated 25 February 2009, at 8, Section 2

(lnappropriaie analy"t querying).

25

(cf'S/iSJ/'/NI,') As a by-product of the cnd~to~cnd rcvic\V, NSA has updated the interim analytic I3f{ !"'IS/\ Standard ()pcrating Procedures (S()P) to ensure compliance \Vith fhc current (~ourt ()rdcrs and is coordinating this docu1ncnt with f)oJ as required by the (~'ourL 'rhis SC)!) outlines step-by -ftcp instructions f(}r the auth(Jrizcd intelligence analysts in hant.11ing the f3R l~ISA inctadata; describes the procedures used to control access to the i3R Fl Si\ 1nctadata; JJrovidcs the steps used to conduct \Vcckl)' audits of the analysts' queries and tools; and details the n1ethodology used to query the Bf{ FISA 1netadata under newly established lin1nincnt rhreat c:onccpt of Operations guidelines. NSA \Nill continue to 1na1ntain the SC)P and C~ON()p as "living documents" and update thcni as
1

needed_
(T'Si/SI//NF) NSA also continues tu 1naintain and regularly UJJ(late an 11-stcp co111prchensivc checklist that outlines both the l-fo111ela.nd Mission C.'oordinator and anuly0t rcs1}onsibilitics in the BR FISA mctadata analysis and repo1iing process. rhe ch.ccklist is comprised of over 30 components that require analysts to ans\vcr a variety of questions, including \Vhcthcr the proposed report falls vvithin the scope of liR FISA authorities and express()(_)(: guidelines; \vhcther NSA attcn1ptc<l to get additional inf<)rmation about the selector fforn the F'fil and c:IA integrces al NSA; and vvl1ethcr cellular identifiers vverc checked tG dctenninc if the user had roamed into another country, 'fhc checklist also reminds a11alysts to dctail 1he inf<)]111ation/intclligence S{}Urcc(s) that pl\)l11pted the report's production_ ("I'Si/St//NF') In addition, NSA has in place a con1bination of web pages and on~line aids dedicated to c11d~product reporting and disscn1ination guidance. 'fhcsc dctaile(t \Vorking aids, together 1.vith required LJSSID 18 training for a!i BR f?JSA-approved intelligence analysts, require that any NS.A BR FlS/\~bascd reporting that contains tJ.S. person inf{)nnation i()l!ovv NSA 's standard n1inirnization procedures f{Jund in USSID l 8 and the ('ourt ()rdec

i\". lll//l'(}lJO) NS.1-\ 's J\'1inimization and. Oversight Procedures


(fS/iSI//Nf:) NSA has v,icll-docu1ncntcd and long-standing 1nini1nization procedures for ensuring protection ofLLS. persons' inf()rmation in SlC.iIN"f analysis and reporting u11dcr all SlCJiN"l' authorities, to include the FIS/\ ()rder. NS;\'s nor1nal rcgi1ne ofcom11liancc oversight f(Jr handJi11g the f3IZ FlS;\ is a con1prchcnsi\'C, multi~prongcd approach involving l)<>J and NSA's ()(JC:', ()&C:, ()fficc oftl1c Inspector (_lencral and SID. c:urrc11tly, NSA is required to consult \Vith l)oJ on all significant legal opinion.s involving I3l:Z FIS;\ n1etadata handling. [)oJ 1nccts \Vith the appropriate NSA representatives at least once every rcnC\va1 period to revic1v the prograin. Prior to the 2 March C.'.ourt Order tt1at the F!S(" 1nakc all IZAS detcn11inations, [)oJ also con<iuctcd ''spot checks" to review a san11Jling of justifications (R.r-\S Jcten11ina1ions) f1:.1r querying the 1nctadata. NSA, in turn, provides internal O\'Crsight to the BR FIS,t\ progran1 by a variety of oversight controls and con1plia11cc 111cchanisrns to prevent. detect, correct and report inciclents and violations of the procedures, to include technical, physical and n11.u1agerial safeguards such as: cxan1ining san1plcs of call-detail records to ensure NS.4. is receiving onlycoinpliant d.ata: ensuring analysts are trained in the querying, dissen1ination and storage

26

restrictions for the metadata: monitoring analytic access to the 1nctadata; auditing queries on a \Vcckly basis b}' ()&(,': 1nonitoring audit fUnction2lity; rcYiC\Ning the I3R f,'lSj\ ra\v database repositories; and cx21nining the list ofl(AS-approved selectors.

('fS//S!//Nr:) In light of the co1npliancc issues that surfaced specific to the ha11dling of the 131( FISA n1ctadata, NSA rcvicvvcd its 111inin1ization procedures as \veil as its oversight procedures, to include auditing, docurnentation, at1d training, to identify' areas for potential i1nprovcment. All \verc identified as 2rcas for enhancement to ensure that personnel ha11dling the fJI:Z Fl SA n1ctadata arc a\Varc ofund compliant v.rith the (_'oult ()rdcrs govc1ning its use and dissc:nination.
A. (li) l\-1inin1iz.aticn1

("f'S//SI//NF) E;very NSA intelligence analyst is required to coinplcte training and pass a test on LJSSlI) 18 n1ini1nizalion procedures every t\VO years as a prc-rct.1uisitc for access to u11111inirnizcdiunc\1aluatc(l SICJJN]' data. Additionally, intelligence analysts must receive lHl ()(JC: con1pliancc briefing and on-tl1c-job training (OJ'[) regarding their responsibilities 1~1r J1andling 1nctadata containing l) .S. person infonnati<}fl prior to being gr;:intcd access to the l3R FISA metadata, cfhcy also have on-line access to detailed \vorking aids including required ininilnization procedures. NSA \Vil! continue to c1nphasizc the critical i111po1tanec of applying LJSS!D ! 8 and the ('ourt ()rder rcquirci11cnts as they relate to the handling and disseminatio11 of I3T~ r:rsA.

B. (U) ();,'crsight

l" (U//F'()UO) Oversight Auditing l\lcchanisrtts NS,'\ assessed rcquircn1cnts for auditir,g of systeins. tools, pr(;ccsscs and analyst queries to ensure the propet con1pliance procedures \Vere in place. A totD.1of13 audits related to 13I:Z f'lSA inetadata access and qucryjng \Vere conducted either as the result of standing requircincnts or in response to issues identified through the end~to~cnd rcvic\v. Descriptions of resultant ano1nalics are captured in Section fL
("fS//SI//Nf~)

(1'S//Sl//NF) t--JS,\ au(lits san1ples of queries coriductcd by BR F!SA-autl1orized


intelligence analysts and data integrity analysts in the on a \vcckly basis. As a result ofa revie\v of its oversight processes,()&(~ created a dcdicatt:J senior intelligence analyst positior1 to cn11ancc auditing_ of I3R F!S,\ n1ctadata queries_

2. (lJ//F'()[JO) ()versight Docun1c11tation and Procedures


(rSi/Sfi/Nr,') ()vcrsigh1 docun1cntation and procedures governing llR f'ISA 1nctadata handling consists of a set of S()Ps ,-hat l1ave been rcvie\vcd and revali{lated, 'I'hcy are as fiJJJO\VS:
1

27

* AcccssJ": 'This SC)P outlines the procedures

f()f gaining and n1aintaining access lo the f3R FISA 1netadaia in a v,ray that is compliant \'1'ith the f:SR I~ISA C\Jurt C>rdcr. ,,.BR l<'ISA ,i\.udi! Procedures~': 'fhis document outlines the procedures 1.1scd to audit f31( FISA analyst queries

'1l

''Compliance Notification'~: This docu1nent addresses the procedures to l-ic ti.:lllovved \vl1cn con1pliancc issues arc noted. '"I)o.J and OGf~ Spot Checks'~: 'fhis SOP addresses the procedures to be
f(1llovvcd for the required, regular DoJ and/or OCJC spot checks. "'()vcrsight": -rhis docu111cnt outlines the roles and responsibilities oftl1c DoJ, t}1c NS;\ I)ircctor. tl1c ()(JC:,()&(:, the lnspcctor ( i c n c r a l , a11d t11osc (,'ountcrtcrrorism ()rganization analysts Ufipro,,,,rcd f-Or f~ft F!SA n1ctadata access.

3. {lJ) ()versight rral1iing CT"S//SI//NF) NSA 's Associate I)irectoratc of E~{lucation and 'Training (ADfi'T') had alrcad)' been v,1(;rking \Vith ()&C: and ()(i(~ to redesign the required traini11g f()r accessing l3R I:lSA inctadata to better enforce ar1propriatc handling of this data and to introduce co111petency testing as part of the ()&C: curriculun1. r11e curriculun1 \Vill be achninisti:rcd on-line to allt)W students 24/7 access to the course material.
('fS//Sl//Nf') 'l'he redesigned l:1I-t FJSA portion of the training package addresses the kno\vledgc and procedural co1nponcnts of handling BR F'ISA data, and nov.r rcqttires the analyst to read the n1ost current C:ourt ()rder and the OCiC' instructions, a11d in the future \viil require them to vievv an OCJC' video briefing about the Bi<. f~IS/\. progra1n and co1nt)lctc the folloYving six lcssor1 tutorials: l. "Ovcrvic\v of the Reasonable Articulable Suspicion standard,'' as co\rcrcd in ()(J(," i11structions 2. "Su1nn1ary of the R1\S standard," to aid NSA analysts in i)rcparing RAS j ustificatio11s 3, "Association \Ni1h to identify ho\v associations arc estab!isl1cd in order to qualify a target f()r Rr'\S justification 4. "First Aincnd1ncnt C'onslderations,'' to identify Jhnitations and c<n1siderations \vhcr: targeting lJ.S, pcrso11s \Vithin BR FlSA data 5, "Sources of in.formation." to identify the supporting inforrnation used to justiJ)' the f\AS dcte11nination 6. "T'hc F~lZ FISC: (Jrder," \vhich explains the content of the BR FIS/\ Orders

('f"S//SI/iNI"') A cornputer-hascd con1petency exa1nination \vill be administered upon co1nr,Jelifn1 of this training and ren1ediation \Vill be provided for missed questions. Once an analyst has 'lc111onstratcd the necessary kno\vledge by successfuJI:y passing the cxa1n, he or she \Vil! co1nplctc fon11ali1cd OJ"f before O&C: grants access to the data.

28

(TS/iSl//NF) The OJT component has always been administered by an experienced HMC or senior analyst experienced in conducting OJT, This training specifically addresses how analysts are pennittcd to use the BR FISA mctadata, reinfhrces the unique privacy concerns and handling requiremems of this data, and demonstrates the various tools that can be used to query the BR FISii.. mctadata_ In addition, each HMC and authorized intelligence analyst is required to sign a user agreement documenting that he or she has read and understands the obligations associated with handhng the BR metadata. (TS/!SI//NF) NSA has also begun to provide tailored briefings to all technical personnel that have been granted access to the BR FISA mctadata. The tailored briefings outline the categories of data obtained under the BR FISA Court Order and the restrictions associated 'With the technical personnel's duties, For example, the briefings make it dear that the Collection Managers and System Administrators are not authorized to query the BR FlSA metadata for tlxcign intelligence purposes. The briefing also outlines the coITect offices to contact if the technical personnel see possible compliance issues in the course of their duties. (TS//Sl//NF) As part of the BR FISA training redesign, complete training records will be maintained by ADET fix each individual. The documentation \Vill include the test score, answers to individual test questions, and pcrfimmmce feedback from the orr component. This documentation will allmv for tracking of access to the BR data on an individual basis,

V, {lJ//FOUO} NSA'sflilrrc Architecture (TS/iSI//NF) Using principles of system engineering, configuration management and
access control, NSA has considered the foture implementation of the BR FISA program including the automated activity detection process to be used should the Court authorize NSA to resume regular access to the BR FISA mctadata.

A. (U//FOlJO) Future BR FiSA Activity Detection (Alerting) Process


(TS//SI//NF) NSA could resume automated activity detection in a fully compliant manner should the Court approve. NSA would maintain an Activity Detection (alert) List containing on(y RAS~approved selectors. Only the RAS-approved selectors on this "BR Identifier List" would be compared to the BR FISA metadata. \Vith Court approval to resume automated querying, NSA \Vi11 >.vork with NSD!DoJ to ensure the BR Identifier List \Vil! be populated. \vi th only those selectors that the Court has authorizctt Should the Court grant NSA RAS decision authority, NSA would beg1n to au.brmcnt the BR Identifier List \Vi th additional identifiers that NSA approves as having satisfied the RAS standard, using the improved processes and training identified in this document

B. (lJ) Future of Overarching Architecture

29

Cl'S//Sl//Nf') Jn the future, should the C'ourt authorize NSA to rcsutne regular access to the f3i{ FJS/\ 1netadaia, NSA \vi!! migrate the datal1o\V Jnd lite cycle 111anagc111cnt of the lJl\ F'!Si\ n1ctadata to its next generation system architecture vvhich offers 111orc effective an<l cf1lcjent n1anagcrncnt and co111rol. "rhis architecture is designed to be flexible c11nugh to adapt ti) changes in the legal and oversight rcquircn1ents. \Vhile confonning to applicable governing authorizations such as t:'.() 12333 and I3R FISA.
(l_J//F()l_J()) ln tl1e future architecture, the cnd~to-end IiR FISA datat1ovv vvil1 be referred tct as a systcrn "thread .. , .4.s such, NS/\ vvould manage the entire ca1}ability via a "Thread r:ngincering '"!'earn'' to guide 1-he rcquirc111cnts development, systc1ns intcgraiio11, use-case dcvclop111ent, tcsting/\'alidation and planning i()r current and future enhancc1ncnts. rhrcad engineers \Vou!d 1ncct \viih representatives from the OGC: and C)&C: to define and valich1te rcquirc1ncnts prior to devclopn1cnt. Sysien1-\vide configuration n1anagen1cnt vvould be in1ple1ncnted to log the expected sotl\vaxe builds and patches. Such practices exist no\v, but there is no thread f()cuscd on the Business Records process.

("rS//Sf//NF) '1'hc proposed systc1ns supporting 13i\. FlSA datafloVv' an(i life cycle vvithin the next generation architecture 11C(Hnpass both technical- and personnel-based strategics to ensure that data is accessed, retained and purged in full con1pliancc \Vlth autl1orities granted to NSA by the FISC:. Moreover, the in1plcn1entation of centralized processes and databases \1; ill ensure thar all aspects of the datat1ow will continue lo be tracked and auclitcd to further ensure that any non~con1pliancc issues can be 11ro1nptly identificcl anci acldresscd. i)lans t(>r addressing key requirements fOr Bit }'ISA 1netadata are as fi)llovvs:
1

1.

(ll//~'OlJO}

Security I Access Co11trol

fI'S//SI//NF') A ncvv access control application \Vill be apr>licd to all databases and systen1s supporting the I3R !~IS1\ \\orkf1o\V. cfhis application vvill validate the crede11tiats of users to govern v.hat syste111s they are approved to access, and validate that their required trairiing is current. PKI. \Vhich offers security 1ncasures for identification and authentication, as vvcll as for access control, and uudit capability >vill be used to inanagc users v.1 ith <Jcccss t() the ravv data or query results.

2. (ll//F()lJ()} l)ata Standardization


{cf'S//Sf!/Nr') A data standardization plaiViJrm \Vil! datc-stan1p the incoming Bi{ 1nctadata and ensure its consistent and accurate structure. crhis \1ii]J allo\v quick and accurate datebased purging once the (~ourt-ordcrcd ti1nc ffainc has been reached,

3. (U//F'OLJ()) Databasing R \S Selectors


1

("rS//SI//NF') An updated and in1provcd centralized target kno\vlcdge database for storing telephony and c111ail selectors has been under dcvelop1ncnt since October 2008, 'fhis database 1,vill enable n1ore efficient storage a11d retrieval of key- infonnation about each F:SR FIS/\ tclcphcrny identifier such as its Rr\S status and the justification and ()G('

30

approval as appropriate, f(n those that have been RAS-approved. rhese fCatures arc scheduled f(Jr co1npletion during the fi:1urth quarter of1;'lt)9.

4. (1'S//SI) Analytical l'roccssing and Call L'haining


('rS//Sl//NI;) 1\11 enhanced call chaining function and data processing capability vvill support large volumes of automated algorithn1s, t1andlc grovving ingest rates and dcllvcr faster query responses. Additionally, the rnctadata \Vill be stored using securit)' tags, a measure \vhich can be used to restrict the visibility ofindividual entries in tl1c database to personnel \\/ith the appropriate access credentials.
5.
(U/l~ouo)

Auditing and Monitoring

(lJi/f()LJC)) I'.:nhanccd auditing \vill prcrvidc a tncans to track a data user's activity pattcn1s, tl1c state of a user's operations, and the frequency' and con1position of quciies. A f(Jnnal 1netrics and i11or,itoring syst<::1n \vill also be used to 1nonitor the status of the end-to-end processing and vvill alert 1nanagen1ent and operations personnel \vhen processing ano111alics arc detected.
\ll. (ll) ('.onclusion

{"f'S//SF/NF) 1\s discussed above. NSA has thorougl1ly rcvicv.rcd the technological systems, analy-tic vvorkf1ov.'s and processes associated vvith its i111plemcntation of the Bf{ f;'lS/\ ('ourt ()rdcr, and has introduced corrective 111easurcs to address specific concerns and VL!lnerabiJitiCS. crhesc 11CVi JTICdSUfCS \Vi]l ensure a balanced f(JCUS On techno]ogicai solutions and n1anagc1ncnt controls. --rhe cnd-to~cnd rcvievv also revealed areas for i1nprovc1nent wl1ich have bec11 docu111cntcd and \Vil! continue to be addressed. \Vl1cre changes \Vere n1adc iinpacting current n1anual operations, a con1bination of system evaluations, dc1nonstrations and a1.;di1s provided confidence that the technical fixes arc actually configured and operating as intended.

('TS//SI//NF) 'Ti1e rc111cdia1 actions described in this report are subject to ongoing irnpf(}VC1nent and \vill suppoti strict adherence to the C'ourt Order. Although no concctivc 111casurc is infallible, NSr\ has taken significant steps designed to clin1inate the possibility of any future con1pliancc issues and to ensure lhat the 1ncchanisn1s are in place to detect and respond quickly if on~ \vere to occur,

31

Figure l: OvernH HR FISA Process

'!OP SLC'P Lf/ CC)\llN l' C!RCON

()FOR\

-----------~~~ .... --------~

$.t" -:_;:,
0

_, w

/'-H

:xi ~

Figtue 3: Component of BR FlSA Process addressed in End-to-End Review

--

34

T(H' SFC:R i',l/,{:C)\HNT, '()!\CUNiNOF()RN

Figure 4: Component of .BI{ FJSA Process addressed in End-to-End Review

35

~?_'.

;;.c
... ..-._
--.~

,.. ,..

.............

>:, r"-<
-- ........ ~)''">...

70

\....,;
~'
w,, ...

)V

';?

,.,

,.,.,,,.,;

STATION Table

"--'! SR F!SA Analyst i


Decision & !Reporting Process!

Yes add lo ,t,pproved


Address

No-add to STP1TION T

Reviewing

___ Rep~-~----'

: L.~~------------~~~

!!

TCW s1c-RF-i '-f\)\llN 1- \H{CCY<;NOFORN

Figure 8: Component of BR. FISA Process addressed in End-to-End Revie\V "RAS A n;.val Process"
.
............. .

I P;Jt:h ~ l~e-:J fa~pi:.H1 ~

'"'"" ern~

I :--------------;

/!L;
hs .. )fu;k '"
RAS App-o<ed

l'.::,1:
l
.~-.,,,

NOTF1AS

-1
..,

.-.

..

.,,,.~.,,...,~

,,,.... .,.,,,

..

rx;~

''; I
I

:Chmn-D~~b~ic:
/

lJSAddre;;s1st

knwdrnen! Approval

1 \.-'

Yes-11,ld
lnAptr(IYC-d

rfo-add1o NOft.fiAS

Add'"""

Appnwod
STATION
Tubl~

I
I
I I
' !
I

! i I

--....,
--I /,
< '- - - " " . . . _ . , . . . . . . . . . , _ . . . ,

--.

RAS Approvaf Process

"-----4'"'-~, Corporate S!ora;ie i Servces )

...... - - ------- --~-.,~<-- ....

. c------------------t
i
~~~

/Wtomat<'d Ch?iCTing

'-"

Analyst;; fo()IS
(AC ATS)

STATION Table

RAS

~jJpiOV od

. ,~~,~~~i~,~:;~~i~!'.'
{foreign & Dornestic)

A#ff.S$e8 __ ~ _ ~'11---------------__.,,s

dumof [!;;,. Stiti0r1T"blL_ tt>IDENTDG r--~----~-=~------~--------i d~.:n\) (ii F~nl/0 Sti~tionT~::b;~: t(~ tDFN1 OB; !DENT
8)
;_.:.,ii qu;;:~ii;.'S~f.~!'(nir'.i~dK-d Jg~i~l0 thr~ ''\-=-;j~s{'-

DS

I
- Met RAS

fi~~1 o~ iWP~o\; c-d S('fi:}'.',h~~:.

TOP SECRET //COM !NT //ORCON//NO FORNI/20320108


39

Figure 9: Component of BR FISA Process addressed in End-to-End Rcvfovv "BR FISA Analvtk Tools and Prncesscs'~

40

Telephony I Activity Detection i


._(~J_~_~ing) Process
uo __

t_

I i
i ' i
I

'

RF! &Target Knowledge p~

I i
I

I Reports I
Other

Ir:---~

Portal

Analyst Yes Decision to (Anaytic raft Repo Checklist Used}

I I I Report Process
l

QC & Edits Request for


one~time

j Finished Intel

dissem. of US I !DENT
Yes

I l
I
I

Telephony Target

Knowledge Fcrms

No
I

i i : I
: 1

:--~-1
Queries I Responses (FBI, C!A. NCTC Personneli

[ : i
:

Queries i Responses (NSA Personnen

! j
1

STOP

Coordinatej Edit &Release

L________________ :BR FISA -------------------------------"-

Analyst Decision & :-~-~p~_rting Process


-------------

l1

Report to FBI f CIA/ ODN! i NCTC

Appendix: Glossary of Terms


! ACA f
f---------:;---;:-- --------------------------------- -----------------------.. ___ ------------------------------------------T---~------------------

----------------- ----------- ----------------

-------~-~-~-

------

-------~-

--------- -------------------

Activity Detection List

5ee Aurmnated Chammg and Ana(ys1s fool I and Gl)i I . A list of for~ign and domcsti~ tcleph:me selectors believed to be associated \V1th terrorist targets. The Activity Detection List is independent of the Station Table. Fonnerly called the Alert List, this list is
-----------~-hhhhh~-~h~~~hhN.o=~~hh~-~~hNW~~NWWY~~-------------------------------~-~hhhhhN,NYO"W~N~~

-----------------

-------~---------_----;-----

--------------------------------

-.-----~--;------------1

I I

Components

i
i

r Conhgurat1on Management

----::;---------;----------------.------------------------------------------------------------------------------------1--:--;-----------------------------~--------------,..---------------------------;----------------------------""!

,
1-- ---------,r------------------------------------------------..

:
-----------------------------;---------------------------------------------------------Dc feat List
---r~-J\.-Iz

----r:l\--<l3-iab-ase__c_<;ilt[i:f1_1_;~;g-1I~T~;T;~Ienti-11-~r-;;-----------I \Vhich, based on an analytic judgment,

The core systems and processes identified as part of the BR FJSA metadata workflow against which iP As and PIAs were ' I conducted. - I he process of tracking, controlling and documenting changes in softv-.rarc applications, including revision control and I establishing baselines.

_ :
I

I
'
;
!

I should not be tasked by the SIG INT

'------------------------------------t----"----:----------,;;------------------------:------------------------------------------~----.--~--...----,.--

. ------- ---------------------'-------------------------.. -------------------------------------------r-j/~;::;-i~;;--_;-;;;;;i:::-:4-;;-(:~:-s:~-)?-:?.~1~:1~:-;i;;;;------------------------------

i analytic value for metadata analysis.

' system. i i A hst or selectors that are deemed of httle

I Emphatic Access Restriction (EAR)

~h~~MhhhN~WY"NYYw~-N~v=w~vw~h~~NYW~NYYW~NY-wY~~~~N~-~~~--------------------------------~-----~

hhhNYw----------------------------

A sofhvare restrictive measure written into the middle\vare on 20

=w~~~~~~~~------------------~-h~~h~M~~w~NYYY-~------------

"l{)l' S LCR i' 1 C()f\11 i""--lT'ORC:CNiNC)FORN

TOPS

/.-{'(l!vl l\T--iCJRCCY\'.-NOFOIZ \,

--- -- --- --- - ---------------- -- ----- --- ------------- -- --- -- --- -- ---- ----- -----i- --- ---- ---- --------------------------- --- --------- -- --- ----- ------- ----- ---- ------Fcb ru ary 2009 to prevent a non-RAS appwved selector from being used f()r a ! chain uerv of the BR FISA metadata.

r----------------- --------------------------------------------------------------------------------------------------------------------

initial Privacy Assessment (JPA)

--ij:;p:----------------------------------------------------------------------------------------------------T~~;~;;;;7nili~-1-n>;;:;-,~~<:;;-~45:;:;:~~;.;~;;n;----------,.--------------------1

/\review of a system or process which indudes a standard set of questions used to detenninc, among other things, whether the system or process under reviev.r interacts \vith data that could contain information i about U.S. persons, i

---------------------------------------------------------------------------------------, ___________________ ,,__ '__, ___________________________________________;;----:------------------,.------------------------!

I Mctadata

! "Data about the data ; tor example, f infrwmation about a telephone cau, to include the calling and called numbers, time of call, etc. Metadata docs not include

- __________________,,_______________________________,,___________.,____, ___________________________________ _ __s:~,~~!-~!"lL. _________, ____________ ------------------------------------------------------~


The repository for individual BR FJSA

111ctadata call records fr)r access by


authorized Homeland Security Analysis
!_ _ _ _ _ __ ___ _ __ ____ ___ _____________________________________________________ ___j _

~-:~-~-~~U!}~-~~~~)--~~~~---g-~!~~---j-~~-~g::i!Y_~_~!_'.!lX~_!_?______ j
43

J (1p

SLCRL.1 ('0\-l!N'l-ii(ll\((!NNOF()RN

C)};()l\..N

---------------------------------------------------------------------,--------------------:--------------------------------------------------------------------------------1
A selection management system used to manage and task selectors, such as telephone numbers, lMEis, and iMSls. to many different information collection A method fix separating data into standardized data fields. See Pnvacy impact Assessment .
I

o-------" ,..,, ..,,..,,.,,.----------------------------------------

Parsing Rules
------ --- ---- --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - h - h O.O.~h~~~~~""h"MWYYYY"Y~Y~---

j
j

--~)'.~-~~!!1.0..'.'~~~~~~~-~~-t~~-'.--------------------------------,..,,,.,,, _______ '


-~--------------~----------------~~~h~~~h~~:h~~~N~~NW~~~~-----------------------------~~-hhhhh

,y-

PJA Public Key lnfrastmcturc (PKI)

-_-_;r:g_t:_-_:::::_:::::_-_-_:_::_:::-:_-:::::-:_::::-:::-:_-:-:::::::-::::::::_::::::-~:--::_::::_-_-_-:::::::::::r~~~~::~'.J'.i~!il1~-:~~i_:Z1~~~~i~:~-~i!:~!-~:_-_::::::::::::~:::=~~::=~--~-.:-_
An infrmnation assurance service that

I offers security measures such as


'

I public-key based security mechanisms, and I identification and authentication, access


i An in-depth, standardized review of
I

I supports digital signatures and other

--------------------------------------------------------------------------------------------------------------L':2::!!~:L~_1_~~--~'.:'.sl\~--~~1~'.::~J-~~~:~----------------------------------------!
Privacy Impact Assessment (PIA)

1- ---- -- --- ----- ------------- --------------- --' Requirements ,


I

The tem1s contained in the governing BR FiSA metadata documents that must be ! i satisfied as part the end-to-end workflow. i --s-a11I1Ec---------------------------------------------------------------------------------l--~~~~f ;;;:;~~~~-;~.-~;~Ht~~~~:~~~:~~~~e~~-~c~-i{;-----------i

-- -- -- -- --------------------------- ----------- j process -- ---- ------- ------------------------------------------ ---------------------------------------

privacy concerns fi)r a particular system or

! customers nt a classification level thev can


; '"'

! methods, capabilities or analytic . I procedures in order to disseminate to

l---;-----------------------------------------------------------------------------------------------------1--~~S'.:: ____;__:______ ,.....................,.,. __________________-----------------------------:---------1 i Seed I An m1trnl selector used to generate a charn
i Selector

[.-----------------______________ -------------------------------------- -----------------------------------------l__q_~_~LZ: ______._________________________-------------------------------------------------------1

I An identifier, in BR F!SA realm could be I


:

f'fili_s_t(i~)n~-li:s--ea-t;;;tf~ic:-;;-i~;-;;~;;<:1ti~1--------------1

! telephone number.
!

i an !MEI, lMSI, or MSISDN, as well as a I


contact chaining against BR FISA mctadata i

1-I
l.

------------------------------------------------------------ .,--------~-----------------------------------------------------------------------~-------------------------------------'

rep SLCRI<

//CO\-tlNT<JRC()N

()f(1RN

44

r----- --------------------------------------------- -----------------------

[_ gr____________________________________________ _

----------------------------------------

r rnj ~~f.t;'~(i';;;;~~i~i;~;ttG'~':t~~eana
, exploitation {

I
----------------------------------j

-------

SSP
--s-i3:n-<l~i-rd--6reraiT~g-1:;~:~;-c-c-<llire--(s6rY-

- - - --- -

,<;cc ,S'.rstem Security Plan


1-n-sii-i:lii-ic->ilali'ze~ra~;z;:;;;;e-1_1_!:;1f~-il--<lc-sc--;n:;{r;g----

---si-iii;~;-f1-~Yab"i0----------.,----------------------------------------------------------:---1-1i-5t(~ric-rcTere!~ce-,;~ra-1Tiel"ef'ti~:;;;y--,se1e-ct~:;-;:~--1

ofncia1 processes and procedures.

I that have been assessed for RAS --- and I their associated RAS determination (RAS
1

r-sti-h~c()-i11-f}(-)i1e;1s---------------------------------------------------------------i---ffl_c i(}-gi"c-aTa11Xr_fl_);s-i-caTb~e8Ici-~)~~~8-~)rt'f;;;;--i

Approved or Not RAS Approved) - since the BR FISA Order \-Vas first signed on 24 May 2006.

__

I that pcrfrmncd specific activities and/or


!

BR FISA mctadata \Vorkflow components

~
!
!
'I

' iiiiiiiiilil-----------------------------------------------------------------------------------------l_t~-~~-~.:?.'.:1~: ____________________________________________________________________________ -

An analytic query tool used to seek out additional infonnation on telephony

selectors fron and other knowledge bases and reporting

:--.~- ---hh~----------------- --------,---~--,vvvvvvv~,Nv.w'-~~~hhh~~,,~~~~~~~hhhh.h-~.~.h----------h--------- --------~-~--~----------------------------------------------------------------------------------------------]

i
1

~--------------------------------------------------------------------------------------------------------------System Security Plan (SSP)


1

l
j

I A next generation mctadata analysis


! graphical
i ~'omntl document de:cribing the

repositories.

user interface (C"JUI) vvhich is the replacement forl

! j;

------------------------------------------------------------------------------

nnplemcnted protection measures for the : [ i secure operation of a computer system. j ' ---- ---------------------------------------------------------------------------------------------------------------,------------------------------------------------------------------------------------------------------------1 Telephony Activity Detection (Alerting) I The process used to notify NSA analysts if i Process there vvas a contact bet\vccn a fi:Jreign ' [ tdcnhonc identifier associated with"'

I
I._ ___ --- --- --- -- ---------------------------------------------------------------------------- ------------------------------

'f(1P

SFC'Ri: i .('Cl\liNT-'i{)R('<_iNi\Ol:C)R\

45

I_ ..... .. .. . . . . . . . .
r----- --- ------------------------- ------ ----------- ---- -----------------------------

::--_-~:r:~-~!i~:~~-~;-~:-~-~I~1?E~!-~~-:~~~0:!Tf~~~:~:~----:~:::_-_-_-~_-_-:_-_-_-:_-_-_-:::_-:-:1

l_
!
I

;:l~p%~,~~ ;~;~c:~i~hl;;~~~~~t~;, ~~~~~~t:

L_________

repositories, the total number of unique contacts, total number of calls, and "first 1 heard'' and "last heard" infrmnation for the : selectoL ------ ------- -------------------------------------------------------------------------------------'-------------------------------------------------------------------------------------------------------------------'

roJ

SEC'RL:r.C'C}\-llN'!-'iORC\)N

OFOHT\

46

U.S. Department of Justice


Office of Legislative Affairs

Office of the Assistant Attorney General

Washington, DC

TOP SECRET//COMINT//NOFORN
UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE

September 3, 2009

The Honorable Patrick J. Leahy Chairman Committee on the Judiciary United States Senate Washington, D.C. 20510 The Honorable John Conyers, Jr. Chairman Committee on the Judiciary U.S. House ofRepresentatives Washington, D.C. 20515 Dear Madam and Messrs. Chairmen:

The Honorable Dianne Feinstein Chairman Select Committee on Intelligence United States Senate Washington, D.C. 20510 The Honorable Silvestre Reyes Chainnan Permanent Select Committee on Intelligence U.S. House ofRepresentatives Washington, D.C. 20515

To keep your committees fully informed of matters pertaining to your oversight responsibilities pursuant to the Foreign Intelligence Surveillance Act of 1978, as amended ("FISA"), 50 U.S.C. 1801, et. seq., we are submitting herewith several documents for your information. The content of these documents were described, in pertinent part, in briefings provided to the House and Senate Intelligence and Judiciary Committees in March, April, and August 2009. The enclosed documents contain redactions necessary to protect the national security of the United States, including the protection of sensitive sources and methods. The enclosed documents are highly classified. Accordingly, while four copies are being provided for review by Members and appropriately-cleared staff from each ofthe four Committees, the copy for the Senate Committee on the Judiciary is being delivered to the Senate Select Committee on Intelligence for appropriate storage. The House Committee on the Judiciary's documents will be delivered to the House Security Office for appropriate storage.

TOP SECRET//COMINT//NOFORN
UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE

TOP SECRET//COMINT//NOFORN
UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE

The Honorable Patrick J. Leahy The Honorable Dianne Feinstein The Honorable John Conyers, Jr. The Honorable Silvestre Reyes Page Two We hope that this information is helpful. Please do not hesitate to contact this office if you would like additional assistance regarding this or any other matter. Sincerely,

Ronald Weich Assistant Attorney General Enclosures cc: The Honorable Jeff Sessions Ranking Minority Member Senate Committee on the Judiciary The Honorable Christopher S. Bond Vice Chairman Senate Select Committee on Intelligence The Honorable Lamar S. Smith Ranking Minority Member House Committee on the Judiciary The Honorable Peter Hoekstra Ranking Minority Member House Permanent Select Committee on Intelligence The Honorable John D. Bates Presiding Judge United States Foreign Intelligence Surveillance Court

TOP SECRET//COMINT//NOFORN
UNCLASSIFIED WHEN SEPARATED FROM CLASSIFIED ENCLOSURE

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.

TOP SEC:RET//COiv.HNT//NOFORN
-~
'

. -

UNITED STATES
~

FOREIGN INTELLIGENCE SURVEILLANCE COURT

- .-, =-

,,, .

.f.':~- I!

7 [:\) . i fl

-.

L;!-

I c ; _'i

WASHINGTON, DC

Ji !="C.
I...',_'-- i
.

IN RE APPLICATION OF THE FEDERAL BLJREAU OF il'-NESTIGATION FOR AN ORDER REQUifuTN'G THE PRODUCTION

Docket Number: BR 09-09

REPORT OF THE UNITED STATES (U)

The United States of America, by and through the undersigned Department of Justice attorneys, respectfully submits tl:Iis report and supporting documents in response to the Court's Primary Order dated July 9, 2009, and sL.11ilar predecessor Orders. (TS//SII!NF) The National Security Agency (NSA) has completed an end-to-end review of its handling of call detail records produced pursuatJ.t to the Orders. The review began earlier this year after the discovery that NSA bad not handled the records L-1 the manner authorized by the Court, and it TOP
SECRET//COMINT/tNOFORl~

Classified by: DavidS. Lis. Assistant Attomev GeneraL NSD. DOJ Reason: 1.4( c) Declassify on: 17 August 2034

31 August 2009 Production

45

TOP SECRET//COMINT//NOFOR.,l\i
has identified several serious instances of non-compliance. Although NSA successfully implemented many ofthe Orders' requirements, in several instances it treated records collected pursuant to the Orders in the ma..rmer it treats infom1ation collected under other NSA collections, without the necessary regard for the unique nature &"l.d requirements of this Court-ordered collection. (TS//SI//1'TF) NSA has since remedied these instances of non-compliance, primariiy through a series of technological fixes and improved training. It has implemented the new oversigl1t procedures set fmih in the Orders and self-imposed by NSA, and proposes to implement additional procedures in the event that the Court authorizes NSA to query the records using telephone identifiers that NSA has determined meet the reasonable, articulable suspicion standard. This report, the supporting declarations of the Directors ofNSA (Exhibits A and B) and Federal Bureau of Investigation (FBI) (Exhibit C), and the attached NSA report (Exhibit D) (the "End-to-End Report") aim to provide the Court with assurance that NSA has addressed 3.11d corrected the instances of non-compliance and is taking the additional steps described herein to monitor and

'
ensure compliance Vl'ith the Court's Orders going forward. The documents describe the results of NSA's end-to-end review, the remedies for instances of non-compliance, the testing of technological remedies, and additional procedures employed and proposed to be employed. They also explain how valuable the collection and analysis of the records is to the national security. Based on these fmdings and actions, the Government anticipates that it will request in the Application seeking renewal of docket number BR 09-09 authority that NSA, including certain NSA analysts who obtain appropriate approval, be permitted to resume non-automated querying of the call detail records using selectors approved by NSA. (TS//Sll!NF)

TOP SECRET//COMINT//NOFORN 2

31 August 2009 Production

46

TOP SECRET//COMINT//NOFORN
I.
BACKGROUND (U)

ln docket number BR 06-05 and each subsequent authorization, including docket number BR 09-09, the Government sought, and the Court authorized NSA, pursuant to the Foreign Intelligence Surveillance Act's (FISA) tangible things provision, 50 U .S.C. 1861 et ~, to collect in bulk and on an ongoing basis certain call detail records or "telephony rnetadata." 1 The Goverrunent \vill refer herein to call detail records collected pursuant to the Court's authorizations in this matter as "BR metadata." NSA analyzes the BR metadata, using contact chaining
0

to fmd and identify known and unknown members or agents (TS//SI/tNF)

The Orders direct the Government to treat the BR metadata in accordance with minimization procedures adopted by the Attorney General. Among these wjnimization procedures in docket number BR 06-05 was the following:

number has been associated with More specifically, =~~~~=~.::::.=:..~=....;="-" has identified a known telephone number for wbich, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts givi.ng rise to a
"Call detail records," or "telephony metadata," include comprehensive communications routing information, including but not limited to session identifying information(~, originating and terminati.J.1g telephone number, International Mobile Subscriber Identity (Th1SI) numbers, International Mobile station Equipment Identity {IMEI) numbers, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. A "trunk" is a communication line between tt.vo switching systems. Newton's Telecom Dictionary 951 (24th ed. 2008). Metadata does not include the substantive content of any communication, as defined by 18 U.S.C. 251 0(8), or the name, address, or fma.11ciai information of a subscriber or customer. (TS) The Primary Order in docket number BR 06-05 authorized NSA to query the BR metadata using telephone identifiers associated w i t h - . Later exDanded the telenhone identifiers that NSA could use for queries to those associated with on to amend granted in August number BR 06-05 see docket number BR 07-10 (motion to amend related number BR 09-09 approved
2

"~-'-'-'VLl'-'

TOP SECRET//COMINT/!NOFOR.l'f
3

31 August 2009 Production

47

TOP SECRET//COMINT//NOFORN
number is associated provided, however, that S. on shall not be

a telephone number regarded as associated with solely on the basis of activities that are protected by the First ,\mendment to the Constitution.

Order, docket number BR 06-05, at 5 (emphasis added). For purposes of querying the BR metadata, all subsequent Orders in tbis matter required the Government to comply with the same standard of reasonable, articulable suspicion. 3 See. e.g:., Primary Order, docket number BR 0909, at 5-7. As authorized by the Orders in docket numbers BR 06-05 through BR 08-13, NSA determined which telephone identifiers met the RAS stanctu-d and, therefore, could be used to query the BR metadata.
l11

addition, the Orders contained minimization procedures that

governed other aspects of the use, retention, and dissemination ofBR metadata. (TS//SIJ/NF) Beginning in mid-January 2009, the Government notified the Court of instances of noncompliance with the Court-ordered minimization procedures in this matter. The first vvritten notice, filed on January 15, 2009, reported that, through an automated "alert list" process, NSA had conducted automated queries of the BR metadata using non-P'-'"'-S-approved telephone identifiers. NSA shut down this automated alert list process entirely on January 24, 2009, and the process remains shut dov-m. (TS//SI/!NF)
By Order dated January 28, 2009, the Court ordered the Govemi'11ent to file a written

brief concerning the alert list process. In response to this Order, the Director ofNSA ordered that NSA complete an end-to-end system engineering and process revie\V of its handling of the BR metadata. On Febmary 26, 2009, after it filed its brief, the Government provided written notice to the Court of additional non-compliance incidents. These incidents were identified as a

this memorandum the Govern..n1ent will refer to this standard as the "R.A_S standard" and telephone identifiers that satisfy the standard as "R.<\S-approved." (S)
L.1

TOP SECRET//CO!'T1INT//NOFOR_N 4

31 August 2009 Production

48

TOP SECRET//COMINT//NOFORN
result of the end-to-end review and, like the alert list process, also concerned queries of the BR metadata using telephone identifiers that were not RAS-approved at the time of the queries. (TS//Sl/;NF) On March 2, 2009, the Court issued an Order that required NSA to seek Court approval to query the BR metadata on a case-by-case basis, except where necessary to protect against an imminent threat to human life. The Court further ordered that: Upon completion of the government's end-to-end system engineering and process reviews, the government shall file a report with the Court, that shall, at a minimum, include: a. an affidavit by the Director of the FBI, and affidavits by any other official responsible for national security that the govenll1lent deems appropriate, describing the value of the BR metadata to the national security of the United States and certifying that the tangible things sought are relevant to an authorized investigation (other thful. a threat assessment) to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities, and that such investigation of a U.S. person is not conducted solely on the basis of activities protected by the First A1nendment; b. a description of the results of the NSA's end-to-end system engineering and process reviews, including any additional instances of non-compliance identified therefrom; c. a full discussion of the steps taken to remedy any additional noncompliance as well as the incidents described herein, and an affidavit attesting that any technological remedies have been tested and demonstrated to be successful; and d. tbe minimization and oversight procedures the government proposes to employ should the Court decide to authorize the government's resumption of regular access to the BR metadata. The Court's Primary Orders in docket numbers BR 09-01, BR 09-06, and BR 09-09 contain these same reporting requirements. (TS//SU/NF)

TOP SECRET//COMINT//NOFORN
5

31 August 2009 Production

49

TOP SECRET//COJ\UNT//NOFORN
Subsequent Orders have required that the Government's repon include additional information regarding certain instances of non-compliance and/or other matters. These further reporting requirements are summarized in the Primary Order in docket mu-nber BR 09-09:

a full explanation of why the govem1nent has permitted dissemination outside NSAofU.S. person information in violation oftbe Court's Orders in this matter; a full explanation of the extent to which foreign-to-foreign communications from orders of the FISC, and whether the NSA storage, tion of information in those records, or derived therefrom, complied with the Court's orders; and either (i) a certification that any overproduced information, as described in footnote 11 of the govem_,_-nenfs application [i.e., credit card information], has been destroyed, and that any such information acquired pursuant to this Order is being destroyed upon recognition; or (ii) a full explanation as to why it is not possible or otherwise feasible to destroy such information.

"'

~~>

(TS//SI//NF)
H. VALUE TO THE NATIONA.L SECURITY (U)

Analysis of the BR metadata addresses a critical, threshold issue for the Government's efforts to detect and prevent terrorist acts affecting the national security of the United States: identifying the terrorists and their associates. Ex. B at 4-5, 15; Ex. Cat 4, 19. analysis of the BR metadata- contact c h a i n i n - share this purpose. Contact chaining analysis identifies which telephone identifiers have been h1 contact with a telephone identifier reasonably suspected to be associated with a terrorist. Ex. Bat 5-7. -

(TS/ /S LI!NF)
Because the BR metadata is a collection of historical telephony metadata, NSA analysts are able to look back in time to identify not only recent contacts and patterns, but those
i11

the

TOP SECRET//COMINT//NOFORN
6

31 August 2009 Production

50

TOP

SECRET//COMINT//NOFOR,~

past. Id. at 6. By the time the Governrnent associates a telephone identifier with a terrorist, the terrorist who was using it may have moved on to a new one. The historical nature of the BR metadata, hovv'ever, allows for the identification of past contacts- It, therefore, increases the likelihood of identifying previously unknovm associates and telephone identifiers. Id. at 6. (TS//SV/1\1F) The BR metadata provides information on the activities of terrorists and their associates that is not available from other sources of telephony metadata. Collections pursuant to Title I of FISA, for example, do not provide NSA with information sufficient to perform multi-tiered contact chaining . Id. at 8. NSA's signals intelligence (SIGINT) collection,

because it focuses strictly on the foreign end of communications, provides oDJy limited information to identify possible terrorist connections emanating from within the United States. Id. For telephone calls, signaling information includes the number beiil.g called (which is necessary to compiete the call) and often does not include the number from which the call is made. Id. at 8-9. Calls originating inside the United States and collected overseas, therefore, often do not identify the caller's telephone number. Id. Without this information, NSA analysts cannot identify U.S. telephone numbers or, more generally, even determine that calls originated inside the United States. Id. (TS//SI//NF) The BR metadata helps fill these foreign intelligence gaps. Unlike information NSA acquires during its traditional SIGINT operations outside the United States, the BR metadata identifies the telephone identifiers of the person placing a telephone call from v,rithin the United States. Id. at 9. It also identifies the U.S. telephone identifiers of persons receiving a call from a foreign terrorist. NSA thus is able to provide the FBI \vith information about contacts bet\veen a

TOP SECRET//COMINT//l""iOFORN 7

31 August 2009 Production

TOP SECRET//COMINT//NOFORN
U.S. telephone identifier and a foreign terrorist, thereby alerting it to possible terrorist-related activity within the United States. ld. at 9-10. (TS//Sl//NF) According to NSA, not having this i.J.J.formation can have grave consequences. As an illustration, prior to the September 11, 2001, attacks, NSA intercepted and transcribed seven calls made by
h~iacker

Khalid al-M.ihdhar, then living in Sru'1 Diego, California, to a telephone


a.11

identifier associated with

al Qaed.a safe house in Yemen. ld. NSA intercepted these calls

through its overseas SIGINT collection and, as noted above for telephone calls originating within the United States, the calling party identifier was not included in the signaling information. Id. Because they lacked the U.S. telephone identifier and had nothing in the content of the calls to suggest that al-Mihdhar was inside the United States, NSA analysts mistakenly concluded that alMihcihar remained overseas when, in fact, he was in Scal. Diego. Id. The BR metadata, by contrast, would have included the missing information and might have permitted NSA analysts to place al-Mihdhar within the United States prior to the attacks and tip that infonnation to the FBI.
4

Id. (TS//SV/NF) NSA acts on and otherwise makes use of the results of its BR metadata queries. I d. at 3.

Wnere appropriate, it provides those results to other U.S. Government and foreign govero.ment agencies. From May 2006 (when the Court issued the frrst Orders in this matter) through May 2009, NSA disseminated 277 reports contaiDing approximately 2,900 telephone identifiers that NSA had identified t11rough its a11alysis of the BR metad.ata. Id. at 12. (TS//Sli!NF) The tips or leads the FBI receives are among the most important because they can act as an early warning of possible domestic terrorist activity. Ex. Cat 6-7. As noted above, the BR
4

The 9/11 Commission Report aliuded to the failure to share information regarding a facility associated with anal Qaeda safehouse in Yemen and contact with one ofthe 9/ll hijackers (al Mihdhar) in San Diego, California, as an important reason the L.1telligence Com1nunity did not detect al Qaeda's planning for the 9/11 attack. See "The 9/11 Commission Report," at 269-272. (Dl

TOP SECRET//COlVIINT/!NOFORN
8

31 August 2009 Production

52

TOP SECRETI/COMINT//NOFORt'i
metadata is unique in that it can provide more complete information about domestic telephone identifiers in contact with teLTorist associates. The earlier FBI obtai.IJ.S information about a threat-in this case, information about a domestic contact-the more likely it will be able to

protect against the threat. Id. at 6. \Vithout BR metadata tips, the FBI might ne:ver learn about
domestic contacts; with these tips, it learns about them promptly. ld . (TS//Sli/NF) The FBI has opened predicated international terrorism investigations based, at least in part, on BR metadata tips, including twenty-seven full investigations between May 2006 and the end of 2008. Id. at 7-9. In those cases, BR metadata provided predication for opening the investigation. 5 Id. at 7. Examples are set forth in the accompa1'1yi.ng Declaration ofthe FBI Director. Id. at 9-19. In other cases, BR metadata provided additional information regarding an existing investigation and advanced that investigation. Id. at 5-6. In any such case, the BR metadata was a valuable source of foreign intelligence for the FBI, assisting it in uncovering the operations and in

thwarting terrorist activities targeting the United States, its citizens, and its interests abroad. 6 ld. at 19. (TS//Sli/NF)

Ill.

RESULTS OF THE END-TO-END REV1EW (U)


The results of the NSA's end-to-end review are discussed in detail in the Director of

NSl.'s Declaration (Exhibit A) and the End-to-End Repon (Exhibit D). Generally, the end-toend review focused on two major components of implementation of the BR FISA Orderssystem-level tec:b..nical engineering and execution within the analytical framework. The end-toIn these tv.renty-seven full investigations opened based on BR metadata tips, the FBI has issued forty-six intelligence information reports to U.S. government agencies and thirty-one intelligence information reports to foreign government partners. Ex. Cat 9. (TS//SI//N'"F)
Based on the value of the BR metadata, the FBI Director has certified that the BR metadata is relevant to authorized investigations (other than threat assessments) to obtain foreign intelligence information to protect against international terrorism. See Ex. Cat 19. (TS//Sli/Nr-)
6

TOP SECRET//COlVUNT//NOFORN
9

31 August 2009 Production

53

TOP SECRET//COMINT//NOFOR.t'\1 end review revealed that there was no single cause of the identified instances of non-compliance and that there were a number of successful oversight, management, and technology processes that operated appropriately. Nonetheless, the end-to-end review uncovered additional instances of non-compliance, all of which were brought to the Court's attention shortly after their discovery during the end-to-end review. 7 The NSA concluded that these instances of noncompliance stemmed from or were exacerbated by a primary focus on analyst use of the data, the complexity of the overall BR FISA system, and a lack of shared understanding among the key stakeholders as to the full scope of the BR FISA system and the implementation of t.lj_e BR FISA Orders. Each specific instance of non-compliance identified as part of the end-to-end review is briefly discussed below. The remedies for the instances of non-compliance are discussed in the following section. (TS//SI/INF)
A. Domestic Identifiers Designated as R.I\.S-Approved Without Review by NSA OGC (TS)

The end-to-end review revealed that historically a significant number of domestic identifiers -were added to the Station Table as R-A..S-approved without first undergoing the required review by NSA OGC. This happened in tvvo distinc.t ways. First, identifiers reponed to the intelligence Community as having a connection with one of the Court-approved terrorist organizations before and after the BR FISA Orders \Vere, untll December 15, 2008, added to the Station Table as R/\S-approved without NSA OGC review. 8 Second, NSA discovered that

As a result of the end-to-end review, NSA aiso discovered several areas that presented a potential for non-compliance or a vulnerability in management and/or oversight controls. \Vhile these areas were not deemed compliance matters and therefore are not discussed in detail herein, the issues and the steps NSA has taken to address them are disnJ.ssed in the End-to-End Report in sections II.B.l, II.B.4, and ll.B.5. (TS) This matter was identified as a potential instance of non-compliance on page 4 of Exhibit C to the Application in docket number BR 09-0 l filed on March 4, 2009, and is discussed in section of II.A.4 of the End-to-End Report and on page 12 ofExhibit A. (S)
8

TOP SECRET//COMINT//NOFORN 10

31 August 2009 Production

54

TOP SECRET/JCOlVUNT//NOFORN historically errors were made \Vhen implementing the BR FISA Orders and consequently some domestic identifiers were initially MS-approved without the required review by NSA OGC. 9 (TS/ /S li/NF) B. Data Integrity Analysts' Identification and Use of Non-User Specific Identifiers (S)
NSA discovered during the end-to-end review that Data Integrity Analysts 'Nere, as part

of their authorized access to the BR metadata, identifying identifiers not associated with specific and sharing those identifiers with analysts through out the NSA not authorized to access the BR metadata. 10 (TS//SVJNF)
C. Use of Non-RAS-Approved Correlated Identifiers to Query the BR Metadata (TS//Sl//NF)

The end-to-end review revealed that management practices and NSA tools permitted analysts to query the BR metadata using a non-RA,_S-approved identifie.r iftl:,at identifier was correlated to a RA. S-approved identifier. 11

---9

While

historically NSA tooLs permitted queries of non-RAS-approved identifiers based o~

This matter was the subject of a preliminary notice of compliru'l.ce incident flled on June 29, 2009, and is discussed in section of II. B. 7 of the End-to-End Report and on pages 12-13 of Exhibit A. (S)
iO This matter was the subject of a preliminary notice of compliance incident filed on May 8, 2009, and is discussed in section of IT.B .2 of the End-to-End Report and on pages 18-20 of ExJJ.ibit A. (S)

This matter was the subject of a preliminru--y notice of compliance incident filed on June 15, 2009, and is discussed in section ofii.B.3 of the End-to-End Report and on pages 13-15 ofExJlibit A. (S)

11

TOP

SECRET//COMINT//NOFORt~

11

31 August 2009 Production

55

TOP SECRET//COMINT//NOFORN

D. Improper Dissemination of the Results of BR FISA Queries (TS//Sli/NF)


As a result of the end-to-end revie\v, it was revealed that NSA's historic, general practice as to the dissemination of U.S. person identifying information derived from BR FlSA information was to apply United States Signals Intelligence Directive 18 (USSID 18) and not the more restrictive dissemination provisions of the Court's Orders. 12 In addition, NSA also uncovered
tv\1 0

specific instances of non-compliance concerning the dissemination of BR FISA

query results. First, NSA discovered that unminimized query results were available to Central Intelligence Agency (CIA), FBI, and National Countertemorism Center'(NCTC) analysts via an NSA database. 13 Second, NSA discovered that on one occasion ll.J.JIIJinimized U.S. person identifying infonnation was improperly
14

(TS//Sl!/NF)

- - - - is the so:ftNare tool interface used by analysts to manually query the BR metadata chain summaries. In connection with the end-to-end review, NSA developed a new version o - that limits the number of hops peffilitted

This practice was the subject of a preliminary notice of potential compliance incident filed on June 26, 2009, and specifically mentioned in the Court's Primary Order in docket nu_mber BR 09-09. This practice is mentioned in section II.B.9 of the End-to-End Report and discussed more fully on pages 36-38 of Exhibit A. (S) This matter \Vas the subject of a preliminary notice of compliance incident flled on Ju.11e l6, 2009, and is discussed in section ofii.B.S of the End-to-End Report. A fuller explanation ofthis practice is set for"t.h at pages 29-36 of Exhibit A. (S) This matter was the subject of a preliminary notice of compliance incident flled on June 29, 2009, and is discussed in section of II.B.9 of the End-to-End Report. (S)
14

12

13

TOP SECRET//COMINT//NOFORJ.'\f 12

31 August 2009 Production

56

TOP

SECRET//CO"MINT//NOFOR~

from a RA.S-approved telephone identifier to three, in accordance v.tith the Court's Orders. During testing of the beta version restriction, a feature calle NSA deterrnined that, despite the hop could be D.-woked to

provide an analyst with the number of unique contacts for a third-hop identifier, a type of information that would other-Nise only be revealed by a fourth hop. 15 Prior versions also included feature. (TS//SIJ!NF)

o~-

IV.

STEPS TAKEN TO REMEDY INSTANCES OF NON-COMPLIANCE (lJ)


In addition to those instances of non-compliance noted above, Exhibit A and the End-to-

End Report address three instances of noncompliance noted in the Court's March 2 Order-the Telephony Activity Detection Process, analysts.
18

1 -

17

and certain inappropriate queries by NSA

All of these instances of non-compliance have been remedied, and the NSA Director

has attested as to the testi.J.J.g and functionality of the technological remedies employed by NSA. Ex. A at 28. For purposes of discussing the remedies implemented by NSA it is helpful to divide the instances of noncompliance into two broad categories: ( 1) nnauthorized queries via automated processes and tools; and (2) operator errors within the BR FISA analytic fr3.t-nework.l
(TS!/SI!/NF)
9

This matter was the subject of a preliminary notice of compliance incident filed on lwgust 4, 2009, and is discussed on pages 15-17 ofExhibit A (S)
16

15

This issue is discussed in section of ll.A l of the End-to-End Report and on pages 5-7 of Exhibit A. (S) This issue is discussed in section of ILA.2 of the End-to-End Report and on pages 7-9 of Exhibit A. (S) This issue is discussed in section of ILA3 of the End-to-End Report and on page 9 of Exhibit A (S)

17
1

The NSA' s identification and use of non-user specific identifiers is not addressed below, as that formerly non-com_piiant practice -was specifically authorized by the Court in docket number BR 09-09. See Primary Order, docket number BR 09-09, at i2. (TS)

19

TOP

SECRET//COMINT/fl,fOFORt~

13

31 August 2009 Production

57

TOP

SECRET//COl\UNT//NOFOR_~

A. Unauthorized Queries Via Automated Processes and ToDis (U//FOUO) NSA has remedied the Telephony Activity Detection Process a n - incidents by eliminating their ability to access the BR metadata. Ex. A. at 6-8. Specifically, NSA shut down the flow of incoming BR metadaL>t into the Telephony Activity Detection Process on January 24, 2009. Id. at 6. Accordingly, the Telephony Activity Detection Process could no longer query the incoming BR metadata with the non-R...t\_S-approved identifiers on the alert list On February 20, or SllY other automated processes and tools from accessing the BR metadata in i database by

removing all previously used Public Key Structure (PKI) system-level certificates that gave processes and tools access to the BR metadata. 20 Id. at 8-9. By removing these PKI system-level certificates NSA revoked all automated processes and tools' access to the BR metadata in

~-

and, therefore, rendered the automated query processes and tools inoperable. ld.

The end-to-end review concluded that apart from the Telephony Activity Detection Process's querying of incoming BR metadata, no other automated processes and tools queried BR metadata outside o~ Accordingly, the removal of the PKJ system-level certificates ensures

that no automated processes or tools are now permitted to query the BR metadata. (TS//SIJ/NF)
The Emphatic Access Restriction (EAR), discussed below, provides further protection against automated processes and tools from querying the BR metadata inappropriately. Specificaily, even

i~ or some other tool were permitted to access the BR metadata,

EAR would prevent it from doing so with anything but a R.,<\S-approved identifier. EAR 'IVill
continue to serve this function even if the Court grants NSA's request to resume queryi.J.J.g based on its own RAS-approval authority. See id. at 28-29. (TS//Sl/iNF)
A PKl system-level certificate is essentially a "ticket" used by the system to recognize and authenticate that the automated capability has the authority to access the database. See Ex.. A at 8. (TS//SI/!N.b)
20

TOP SECRET//COMINT//NOFOR.J'\1 14

31 August 2009 Production

58

TOP SECRET//COMINT//NOFORN
B. Operator Errors with the BR FISA At>alytic Framework (TS)

Several instances of non-compliance resulted from analysts' actions that were inconsistent with the Court's Orders rather than the functioPing of a specif1c teclo.no1ogical
\

process or tool. Although some humai1 error is inevitable in any activity, NSA has addressed each of the identified areas prone
to

human error with a combination of improved oversight and

training, regular reports to the Court, and technological remedies. (TS)


1. Queries with Non-R..\.S-Approved Identifiers (S)

As noted in the Court's March 2 Order and uncovered during the end-to-end revie\v,
analysts used
non-R.A~.S-approved

identifiers to query the BR metadata. See III. C.

l!Q@;

Ex. D

at Il.A.3. NSA eliminated the potential for this ty-pe of analyst error from being repeated by implementation of the EAR on February 20, 2009. See Ex. A at 9, 15. (TS//Sli/NF) The EAR is a softvvare restrictive measure that prohibits queries to the BR metadata in - - u s i n g non-MS-approved seeds. Before a given query to the BR metadata is executed, the EAR in effect checks the RA_S status of the seed for the query against the Station Table. If the seed for a given query is RAS-approvecl, the EAR permits the query to be run. If tbe seed for a given query is not RA,_S-approved, the EAR will not permit the query to be executed. 21 In this way, NSA has provided a teclo.nological remedy to the potential for analysts entering non-B.AS-approved identifiers as query seeds, and this remedy will continue to apply should the Cou_rt permit NSA to resume non-automated querying of the BR metadata. Ex. A at 910. (TS//SV/NF)

The EA.,.'Z does not offer the same protection to the BR metadata outside of NSA's audit of queries to queDes \Vere run by NSA intends to migrate the functionality of its successor, to bring ail BR metadata lLTlder the protectwn o (TS)

21

TOP SECRET//COMINT/INOFORN 15

31 August 2009 Production

59

TOP SECRET//COI'MNT//NOFORN 2. Queries More Than Three Hops From R.<\S-Approved Identifier (S) As noted above, the beta version o f - and prior versions contained the

IIIII

-feature that gave analysts contacts information that normally is available only on an unauthorized fourth hop from a RAS-approved identifier. NSA c o r r e c t e d - to disable t h e - feature for last-hop identifiers. As of July 31, 2009, analysts can access the BR metadata contact chain sununary repository only through use All prior versions

o f - have been locked out from access to the BR metadata contact chain summary repos1tory. Ex. A at 16-17. (TS!ISV!NF)
3. Improper Designation ofldentifiers as RAS-Approved (S)

As uncovered during the end-to-end review, historically NSA had included on the Station Table as RAS-approved identifiers reasonably believed to be used by U.S. persons without those identifiers being reviewed by NSA OGC. See III.A supra. The first step to remedying this noncompliance was to change the identifiers that should have been reviewed by NSA OGC from "R.t\S-approved" to "not-RAS-approved." NSA did this for the identifiers designated as RASapproved based on being reported to the Intelligence Community in early February 2009. Ex. A. at 12. NSA reports that the few identif1ers improperly
~-'\S-approved

in 2006 were all identified

and disapproved or properly approved in 200ti shortly after they \Vere identified. Id. at 13. Continued training and oversight mechanisms employed by NSAare designed to ensure that these incidents
\~vill

not be repeated. (TSI!SV/l\TF)

4. Imp :roper Disseminations of U.S. Person Information (S) As uncovered during the end-to-end review, NSA disseminated BR metadata-derived U.S. person infonnation in a manner not consistent with the Court's Orders. See IILD.
.illR:.
ii1

The mechanism that resulted in the iLJ.appropriate dissemination- was shut down

TOP SECRET//COlVIINT//NOFORN 16

31 August 2009 Production

60

TOP

SECRET//COMINT/fi~OFORc~

advance of the end-to-end review, and, therefore, required no remediation. Moreover, NSA confirmed that ~urged the inappropriately disseminated information from its systems and did not further disseminate it before doing so. Ex. D at 18. NSA disabled external access to the database that was the other mechanism for inappropriate disseminations on June 12, 2009. Ex. A at 33. NSA's review concluded that approxin1ately one-third of the 250 analysts with permission to access the database between August 2005 and January 2009 actually accessed it. Id. at 34. NSA further determined that approximately forty-seven analysts queried the database in the course of their counterterrorism responsibilities and accessed directories contai..ning the results of BR metadata queries, including UJ."l-minimized U.S. person-related information. Id. Finally, a review ofNSA reports containing BR metadata with U.S. person identities indicated a significant number of dissemination were approved by an official pennitted to approve such determinations pursuant to US SID 18, but not the Colli-t's Orders, and without t.lJ.e appropriate determination required by the Court's Orders. Id. at 38-39. 22 (TS//SV!NF) As noted in section VI below, additional training and oversight, as well as the weekly reports to the Court on disseminations, should prevent si..milar instances ofnoncompliance.
13

Moreover, as noted in Ex_hibitA and the End-to-End Report, these and other non-compliant dissemination practices were the product of an incomplete understanding of the dissemination

22

1-1 docket number BR 09-09, the Court approved additional individuals to approve disseminations to include the Chief, Information Sharing Services, the Senior Operations Officer, the Signals Intelligence Directorate (SID) Director, the Deputy Director ofNSA, and the Director ofNSA. (TSi/SI/f}..Tf)

In addition to the above practices, NSA' s litigation support team conducts prudential searches in response to requests from Department of Justice or Department of Defense personnel in connection with criminal or detainee proceedings. The team does not perform queries of the BR metadata. See Ex. A at 36 n.19. The Government respectfuiiy submits that NSA's sharing ofU.S. person identifying information in this manner does not require a dissewination determination and need not be accounted for in NSA' s weekly dissemination report. (TS//SL'!NT)

23

TOP SECRET//COMINT//NOFOR..i'\1 17

31 August 2009 Production

61

TOP SECRET//C01\1INT/!NOFOR.I\f requirements set forth in the Court's Order, and as a result of the end-to-end review NSA persormel are now well aware of the Court-ordered disseroination requirements. (TS//Sli/NF) V. OTHER MA. TTERS (U) A. Storagel Handling and Dissemination of Foreign-to-Foreign Records (TS) NSA has acquired records of foreign-to-foreign communications V-/ith the possible exception of certain foreign-to-foreign records produced by NSA has stored, handled and disseminated foreign-to-foreign records produced pursuant to the Orders in accordance with the terms of the Orders. See Ex. A at 3 (TS//Sli/NF)
44-46

TOP SECRET//COMINT//NOFORN
18

31 August 2009 Production

62

TOP SECRET//COMINT/INOFORN

NSA advised that for the first time, in May 2009, pmsuant to the Orders. stopped its production of this set of foreign-to-foreign records on May 29,2009, after service of the Secondary Order in BR 09-06, which carves out foreign-to-foreign records from the description of records to be produced. Id. at 42-43. (TS//SI//NF)

Furthermore, because the records are records of foreign-to-foreign coilli-nunications, almost all of them do not concern the communications of U.S. persons. To the extent any ofthe records concern the communications of U.S. persons, such comn1u_llications would be afforded the same protections as any other U.S. person communication

TOP SECRET//COMINT//NOFORN 19

31 August 2009 Production

63

TOP SECRET//COMINT//NOFORN

B. Storage and Handling of Credit Card Information (TS)


In the months after the issuance of Orders in docket number BR 06-05, a smal) percentage of records produced by

and

contained credit card numbers -in one of

the fields \Vhen a caller used a credit card to pay for the call. See Ex. B, docket number BR 0608, at 6-8.
l~~t

NSA's req

and

removed credit card numbers from this field in

the records they provided to NSA starting on July 10, 2006, and October 11, 2006, respectively. Ex. B, docket number BR 06-12, at 5-7. Since that time, NSA spot checks have confirmed that ue to remove credit card numbers from the relevm1t field. Ex. A. at 48. Also since that time, NSA spot checks have identified orJy one record containing a credit card number. Id. That record, identified in a March 2008 spot check, contained a credit card number in a field different from the field filtered and ld. (TS//SV/NF)

According to NSA, it is not feasible for NSA to destroy the records received before October 2006 and the one identified in March 2008 that contail1 credit card numbers. At this time, the records are stored iL1 one of three locations: back -up tapes, raw records, and the
1

storage of

?< D . recoms ' storea many orr t h ese -estro:ymg

Although NSA used the records that contain credit card numbers to make chain summaries (which in rum are stored in the chain summary database), the credit card numbers did not become part of the chain SUIT',J."''laries and, therefore, are not stored in the chain SU!."''l.mary database. Id. at 48 n.26. (TS//Sl//Nt)

25

TOP SECRET//COMINT//NOFORN
20

31 August 2009 Production

64

TOP SECRET//COMINT//NOFORN
three locations requires significant personnel, time, and system resources that are not justified given the operational need for certain information and the measures to secure the records. Id. at 48-50. (TS//SV!NF)

NSA has an operational need for the non-credit card information contained in the records.
To destroy records in the that contain credit card numbers, NSA

would have to destroy a swath of records in addition to those few containing credit card numbers. Id. at 49. In the event of a catastrophic failure, NSA would rebuild the contact chaining database with records now stored on tapes. IfNSA were to destroy those records that contain credit card information, either in the or on tapes, it would

lack information that is necessary for operations and that otherv,rise it is authorized to retain under the Orders. Id. at 48-49. (TS//SIJ/NF) Balanced against this sigPificant operational loss is the reasonable measures currently taken by NSA to secure the records. Records contained on back-up tapes and in raw records are not available to analysts for queries. In the

,NSA

masks the credit card numbers when the records are retrieved in response to an analyst query. ld. at 48-50. Masking ensures that at1alysts do not have access to the credit card numbers, and analysts cannot unn1ask the infonnation. Id. at 48 n.26. In the future, when NSA reconstitutes the v.-ithin another system, see Ex. D at 9, the fields

contaiPiil.g credit card information >;;ill not be included in the data transfer and will be purged..
c: - ,r_, " Cl ~t ..,._.,, ~ 0 (~1 S//SI/!N 0.'\.. . l if)

'lL

PROCEDURES DESIG:N"'ED TO MAL'lT A TN ONGOLNG COMPLIANCE W1TH THE ORDERS (U)


Beginning in docket nlh-nber BR 08-13, the Government has implemented and the Court

has imposed several requirements that will help ensure compliance with the Orders. Each of

TOP

SECRET//COlVU:NT/rNOFORl~

21

31 August 2009 Production

65

TOP SECRET//COMINT/!NOFORl'\f

these requirements is set forth in the Primary Order in docket nUJ.-nber BR 09-09. In general, they require regular conunUJ."1ications between NSA and the Department of Justice's National Security Division (NSD) on significant legal interpretations, compliance with the Orders, and oversight responsibilities. Primary Order, docket number BR 09-09, at 13-14. Also, by requiring the sharing ofNSA's procedures for controlling access and use of the BR metadata and for traL.1ing with the National Security Division, the Order gives NSD greater insig..h.t into NSA's implementation of its authorities. Id. at 8, 13. (TS//Sli/NF) Other requirements and self-imposed "fixes," including teclmological fixes, speciftcally address the problem of unauthorized queries of the BR metadata. As noted above, NSA technological fixes prevent any automated querying of the BR metadata and any querying with non-RAS-approved identifiers. NSA also has implemented a neYv user interface -that will limit the number of query hops to th..ree, as authorized by the Orders. Ex. A at 27. Apart from these technological fixes, NSA has recently created the new position of Director of Compliance, who reports directly to the Director and Deputy Director ofNSA 3.i1d has full-time responsibility in this area. ld. at 28. (TS//Sli/NF) Tne Order's requirements serve as an important backstop for these te:c.l-wological fixes. In the event that NSA seeks to i_mplement an automated query process in the future, it must obtain the approval of both NSD and the Court. Primary Order, docket number BR 09-09, at 14. The Orders also now require that all persons accessing the data, including technical personnel, be briefed on the authorizations and restrictions in Orders regarding the BR metadata. Id. at 10. This broader trai_,_Jing requirement is designed to prevent, among other thin.gs, the creation of processes to access the BR metadata by persons lacking a necessary understanding of the restrictions. In the event that even these safeguards fail, more explicit requirements for logging

TOP SECRET//COIVHNT//l'>!OFORJ'{ 22

31 August 2009 Production

66

TOP SECRET//COMINT//NOFORN
access to the BR metadata are designed to identify the source of the non-compliance. See id. at 9-10. (TS//SV/Nt) These requirements also provide the Court with additional information regarding NSA's implementation of the Orders. Specifically, any renewal Application must include the report on the meeting between NSA and NSD regarding compliance with the Orders. Id. at 13-14. In addition, NSA must flle a report every week describing any dissemination of BR metadata and certifying whether NSA followed the Order's requirements for dissemination. Id. at 10-11. The dissemination report and the training requirement for persons receiving results of BR metadata queries also address NSA's prior non-compliance with the Order's dissemination requirements. In addition, following renewal of the authorities in Docket Number BR 09-09 and any subsequent rene,:val, an attorney from NSD will meet 'IVith appropriate NSA persom1el to brief such personnel on the requirements of the Court1s authorization. (TS//SV/NF) Last, in the Application that the Goveminent intends to file for the renewal of docket number BR 09-09, it will seek authority to resume querying the BR metadata using telephone identifiers that NSA has determined meet the RAS standard. Although NSA's violations of the Orders did not concern its application of the R_P.._S standard, the standard is the cornerstone minimization procedure that ensures the overall reasonableness of the production. It is appropriate, therefore, that in connection with the request for authority to make R.i\S determinations the Government proposes two additional minimization and oversight procedures concefilJng Ri1..S determinations at!d queries. First, NSA plans to rev-iew its RAS determinations at regular intervals. Specifically, NSA \Vill review a R1\S detemrination at certain intervals: at least once every one hundred eighty days for U.S. telephone identifiers or any identi:fier believed to be used by a U.S. person; and at least every year for all other telephone identifiers. Ex. A at

TOP SECRET//COMINT//NOFORN
23

31 August 2009 Production

67

TOP SECRET//COIVUNT//NOFORN 25. Second, where such information is available, NSA will make analysts conducting queries aware of the time period for which a telephone identifier has been associated w i t h -

organizations, in order that the analysis and minimization of the information retrieved from the queries may be informed by that fact Id. at 26. (TS//S1'/NF) The Application will also include two oversight requirements similar to those included in the Order in docket number BR 08-13 fu1d prior Orders. Specifically, tw-ice duri_ng the ninety day period of authorization, NSD will review NSA's queries of the BR metadata, includ.i.L1g a review of a sample of the justifications for RAS approval. Moreover, NSA will report to the Court twice during the ninety day period of authorization regarding, among other trings, its queries of the BR metadata. The Court will mai.J.1tain the authority to approve automated query processes upon request from the Government, once DOJ and NSA are comfort.able requesting such authority from the Court. (TS//SI//NF)

TOP SECRET//COlVHNT//NOFORi'l
24

31 August 2009 Production

68

TOP SECRET//COMINT//NOFORN

CONCLUSION (U) The Government recognizes that no oversight regime will eliminate all risk of noncompliance. The above requirements, fixes, and proposed procedures, however, address the identified and systemic instances of non-compliance with the Orders and seek to protect against vulnerabilities with the implementation of future authorities. The Govem_ment respectfully submits that together these steps provide a solid foundation to monitor and promote continued future compliance. The Government will continue to monitor, evaluate and report to the Court on the effectiveness of the oversight and compliance regime discussed herein. (TS//SI//NF)

Respectfully submitted, DavidS. K..ris Assistant Attorney General for National Security

By:

Office of Intelligence National Security Division United States Department of Justice

TOP SECRET//COMINT//NOFORN
25

31 August 2009 Production

69

TOP SECRET//COMINT//NOFORN UNITED STATES FOREIGN INTELLIGENCE SURVEILLAl'iCE COURT WASHINGTON, D.C.
r-1
;_: L

- ... _
- .- J\

--

c.-.i.o. ;
-_ ,_ l.

IN H APPLICATION OF THE FEDER.i\L BUREAU OF INVESTIGATION FOR AN

Docket number: BR 09-09

DECLARATION OF LIEtTTENAl'\l"T GENER.A.L KEITH B. A_LEXA.NDE~ lJNITED STATES ARl\f"i, DIRECTOR OF THE NATIONAL SECURITY AGENCY

(U) BACKGROUND

(U) I, Lieutenant General Keith B. Alexander, depose and state as follows: (U) I am t.1e Director of the National Secmity Agency ("NSA" or "Agency"'~), an intelligence agency within the Department of Defense ("DoD"), mid have served in lhis position since 2005. I currently hold the ra.tlk of Lieutenant General in the United States

TOP SECRET//COMINT//NOFORN
Derived From: NSA.JCSSM 1-52 Dated: 20070 i 08 Declassify On: 20320108

31 August 2009 Production

70

TOP SECRET//COMINT//NOFORN
Army and, concurrent with my current assignment as Director of the National Security Agency, I also serve as the Chief of the Central Security Service and as the Commander of the Joint Functional Component Command for Network Warfare. Prior to my current assignment, I have held other senior supervisory positions as an officer of the United States military, to include service as the Deputy Chief of Staff (DCS, G-2), Headquarters, Department ofthe Army; Commander of the U.S. Army's Intelligence and Security Command; and the Director of Intelligence, United States Central Command.

(lJl As the Director of the National Security Agency, I am responsible for


directing and overseeing all aspects ofNSA's cryptologic mission, which consists of three functions: to engage in signals intelligence ("SIGINT") activities for the U.S. government, to include support to the government's computer network attack activities; to conduct activities concerning the security of U.S. national security telecommunications and information systems; and to conduct operations security training for the U.S. government. Some of the infom1ation NSA acquires as part of its SIGINT mission is collected pursuant to Orders issued under the Foreign Intelligence Surveillance Act of 1978, as amended ("FISA").
(U) PURPOSE AND SUlVIMARY

(TS//SI/!NF) This Declaration responds to the Court's Order of2 March 2009 in docket number BR 08-13 and its subsequent orders in docket numbers BR 09-01, BR 0906, and BR 09-09 concerning NSA's incidents of non-compliance in implementing a 24 May 2006 Order of the Court pursuant to 50 U.S.C. 1861 (Access to Certain Business Records for Foreign Intelligence and International Terrorism Investigations), as well as subsequent renev,rals of the 24 May 2006 Order. NSA refers to the program in

TOP SECRET//COMJNT//NOFORN

31 August 2008 Production

71

TOP SECRET//COMINT//NOFORN
which such records are acquired and analyzed as the "Business Records FISA Order" or as the "BR FISA." (TS//SIIINF) The Orders in docket numbers BR 08-13, BR 09-01, BR 09-06, and BR 09-09 direct that the government file with the Court, upon completion ofNSA's endto-end system engineering and process reviews of its handling of the BR FISA metadata, a report that includes, among other things: (1) a description of the results ofNSA's endto-end review, to include any additional instances of non-compliance identified therefrom; (2) a full discussion of the steps taken to remedy any additional noncompliance as well as those incidents described in the Court's 2 March 2009 Order in docket number BR 08-13, and an affidavit attesting that any technological remedies have been tested and demonstrated to be successful; and (3) the additional minimization and oversight procedures the government proposes to employ should the Court decide to authorize the government's resumption of regular access 1 to the BR metadata. See, e.g., Primary Order, docket number BR 09-06, at 15-16. This Declaration responds to each of these requirements. Each of the matters discussed in this Declaration, with the exception of the 'matter, is discussed in greater depth in NSA's

Report dated 25 June 2009 entitled "Implemention of the Foreign Intelligence

(TS//SI/INF) The term "regular access" refers to NSA's proposed resumption of previously authorized access to the BR FISA metadata, to include automated alerting and querying of the metadata, as well as the authority to establish whether a telephony selector meets the Reasonable Al--ticulable Suspicion ("RAS") standard for analysis. I understand that in seeking renewal of the authority granted by the Court in Docket Number BR 09-09, the government "~Arill not be seeking the resumption of "regular access" to the BR FISA metadata. Rather, the government intends to seek authority: (a) for certain designated NSA officials to approve access to the BR metadata for purposes of obtaining foreign intelligence information tDJough contact chaining using telephone identifiers that those officials have determined meet the RAS analysts who have received appropriate training on the BR FISA metadata ("BR-cleared analysts") to be able to access the BR metadata to perform queries. Resumption of automated alerting and/or querying of the BR metadata will be sought via subsequent submissions and commence only with the approval of the Court.

TOP SECRET//COMINT//NOFORN

31 August

20~

Production

72

TOP SECRET//COMINT//NOFORN

Surveillance Court Authorized Business Records FISA Order- NSA Review" (hereafter "End-to-End Report"), which is attached hereto. (TS//Sli/NF) In summary, NSA's end-to-end revie.w compared all aspects of its handling of the BR FISA metadata with the requirements of the Orders in docket number BR 09-06 and prior docket numbers. This review identified several new issues, in addition to the issues previously reported to the Court, that are of concern to NSA. This Declaration addresses issues, including those that required some form of technical remedy or "fix," which fall into four general categories: the use of automation to assist analytic efforts in a manner not authorized; improper analyst queries of the BR metadata repository; improper access to or handling of the BR metadata; and lack of a shared understanding of the BR program. with the exception o f t h e - issue, each of the issues addressed herein is discussed in more detail in the End-to-End Report. (TS/ /SI//NF) The Court's Primary Order in docket number BR 09-09 requires that "the government's submission regarding the results of the [BR FISA] end-to-end review" include: (1) "a full explanation of why the government has permitted dissemination outside NSA of U.S. person information in violation ofthe Court's Orders in this matter;" (2) "a full explanation ofthe extent to which NSA has acquired call detail records of foreign-to-foreign communications to orders of

the FISC, and whether the NSA's storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court's orders;" and (3) "either (i) a certification that any overproduced infom1ation, as described in footnote 10 ofthe government's application, has been destroyed, and that any such information acquired pursuant to this Order is being destroyed upon recognition; or (ii) a full explanation as to

TOP SECRET//COlVITNT//NOFORN

31 August 20Ge Production

73

TOP SECRET//COMINT//NOFORN why it is not possible or otherwise feasible to destroy such information." Primary Order, docket number BR 09-09, at 16-17. This Declaration also responds to each of these requirements. (TS/ /SVINF) The statements made in this Declaration are based upon: my personal knowledge; information provided to me by my subordinates in the course of my official duties -- in particular as a result of the end-to-end systems engineering and process reviews conducted at NSA since the filing of my declarations in this matter on 17 and 26 February 2009 in docket number BR 08-13; the advice of counsel; and conclusions reached in accordance with all of the above.
I. (U) END-TO-END REVIEW

A. (U) RESULTS, REIVIEDIES, AND TESTING


1. (U//FOUO) Use of Automation in a Manner Not Authorized

(TS//Sli/NF) The Telephonv Activitv Detection (Alerting) Process (TS//SVINF) As previously reported in my declaration filed on 17 February 2009, until 24 January 2009, NSA employed an activity detection ("alert") process, which used an "alert list" consisting of counterterrorism telephony identifiers 2 to provide automated notification to signals intelligence analysts if one of their assigned foreign counterterrorism targets was in contact with a telephone identifier in the United States, or if one of their domestic targets associated with foreign counterterrorism was in contact with a foreign telephone identifier. NSA' s process compared the telephony identifiers on

(TS//SV!NF) In the context of this Declaration, the term "identifier" means a telephone number, as that term is commonly understood and used, as well as other unique identifiers associated with a particular user or telecommunications device for purposes ofbilli.i1.g and/or routing communications, such as International Mobile Subscriber Identity (Il\1SI) numbers, International Mobile station Equipment Identity (IMEI) numbers, and calling card numbers.

TOP SECRET//COMINT//NOFORN

31 August 20e9 Production

74

TOP SECRET//COMINT//NOFORN the alert list against incoming BR FISA telephony metadata as well as against telephony metadata that NSA acquired pursuant to its Executive Order (EO) 12333 SIGINT authorities. Reports filed with the Court incorrectly stated that NSA had determined that all of the telephone identifiers it placed on the alert list were supported by facts giving rise to a reasonable, articulable suspicion (RAS) that the telephone identifier was associated with one of the targeted Foreign Powers as required by the Court's Orders, i.e., RAS approved. In fact, the majority of telephone identifiers included on the alert list had not been RAS approved, although the identifiers were associated with the Foreign Powers covered by the Business Records FISA Order. (TS/ /SI//NF) The Telephony Activity Detection Process was turned off at 1:45 a.m. on Saturday, 24 January 2009. On Monday, 26 January 2009, the Telephony Activity Detection Process was restarted, but without the use of metadata obtained pursuant to the Business Records FISA Order. In other words, at present, NSA compares telephony metadata obtained pursuant to its EO 12333 SIGINT authorities against a list of telephone identifiers that are of interest to NSA's counterterrorism personnel. No BR FISA metadata is being used as an input in the Telephony Activity Detection Process. 3 (TS//SI//1'-IT) The shutdown of the Telephony Activity Detection Process was done by technical experts assigned to NSA's Technology Directorate (TD) and witnessed by representatives from NSA's Signal's Intelligence Directorate (SID). A subsequent

TOP SECRET//COMINT//NOFORN

31 August 2009 Production

75

TOP SECRET//COMINT//NOFORN demonstration to SID Oversight and Compliance on 27 January 2009, following resumption of the Telephony Activity Detection Process using telephony metadata obtained pursuant to NSA's EO 12333 SIGINT authorities, confirmed that the system was not processing any BR FISA metadata. Tests conducted at that time demonstrated that no results of "BRF" (Business Records FISA) type were contained in the system, and no internal system processes for alerting on BR FISA metadata were running on the system. A sample of alert email notifications was examined and only EO 12333 alerts were being produced. Since that time, periodic reviews conducted by NSA's Homeland Security Analysis Center (HSAC) Technical Director (at least twice per month) have confirmed that the Telephony Activity Detection Process system has continued to produce only EO 12333 alerts. (U//FOUO) (TS//SII/NF) As previously reported in my declaration filed on 26 February 2009, NSA analysts working counterterrorism targets had access to a tool known as - " to assist them in determining if a telephony identifier of interest was present in NSA's EO 12333 SIGINT collection or BR FISA metadata repositories and, if so, what the level of calling activity was for that identifier. -Although tbis tool could be used in a stand-alone manner, it was more frequently invoked by other analytic tools. On 19 February 2009, NSA confirmed that t h e - tool enabled analysts to query the BR FISA metadata, as well as metadata obtained from EO 12333 SIGUH collection, using telephone identifiers that bad not been determined to meet the RAS standard. (TS//SI//NF) NSA had previously disabled certain tools designed to perform searches against BR FISA metadata in one of the data repositories used to

TOP SECRET//COlVITNT//NOFORN

31 August 2009 Production

76

TOP SECRET//COMINT//NOFORN store BR FISA metadata, on 6 February 2009. To prevent additional instances ofnoncompliance in the access to the data within the~ BR FISA contact chaining repository by automated tools/processes, i n c l u d i n g - on 20 February 2009, NSA removed all existing system level Public Key Infrastructure (PKI) certificates that afforded these tools/processes access to the BR FISA metadata in
4

A PKI

system-level certificate is essentially a "ticket" used by the system to recognize and authenticate that the automated capability has the authority to access the database. As a result of the removal of system level certificates, all automated query capabilities against th R FISA contact chaining repository were rendered inoperable.

Removal of the system level certificates was done b y - technical personnel. A subsequent inspection conducted by both technical personnel and SID's

Oversight and Compliance verified that the certificates were no longer on the list of authorized BR FISA users. HSAC analysts then subsequently verified that the automated processes no longer worked following removal of the certificates. (TS//SI//NF) Subsequent inspection of the system logs, to include an audit of activity from 1 March -1 June 2009, conducted by SID Oversight & Compliance, confirmed that the system level certificates were no longer able to access the BR FISA metadata ~ These system logs, which document any person or process submitting queries to t h e - BR FISA contact chaining repository, indicated that only manual queries by individual BR-cleared analysts were perfonned. These logs were then used by SID Oversight & Compliance to audit each analyst's queries of the BR

discussed below, exists outside of

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

77

TOP SECRETI ICOMINT I INOFORN FISA metadata. Continued .periodic review of these logs will confirm that no automated processes are gaining access to the BR FISA metadata i n - until such time that a tested and Court-approved capability is brought into operation.

2. (TSIISI//NF) Improper Queries ofthe BRMetadata Repository


(UI/FOUO) Improper Analyst Queries (TSIISII!NF) My declaration filed on 26 February 2009 identified and discussed queries using non-RAS approved identifiers of the BR FISA metadata by analysts who did not realize their queries were reaching into the BR FISA metadata. NSA implemented a software modification (the "Emphatic Access Restriction" or "EAR") that allows chaining on only those identifiers that have been determined to satsify the RAS standard. The EAR is designed to eliminate the possibility of this problem recurring. (TSIISII!NF) As previously reported to the Court, three NSA analysts inadvertently performed chaining within the BR FISA metadata using non-RAS approved identifiers. To ensure compliance with the Business Record FISA Order's requirement that NSA personnel use only RAS-approved identifiers to query the BR FISA metadata, NSA made system level changes to the BR FISA is used by analysts to perform contact '-'ll'"-.LU.~J.J.E: (Action 1) that This software

restrictive measure, the EAR, ensures queries are employed using only RAS-approved identifiers as seeds and prohibits queries made with non-RAS-approved identifiers as seeds against the~R FISA contact chaining repository. 5

discussed below, exists outside o f - and,

TOP SECRETIICO:MINTI/NOFORN

31 August

200~

Production

78

TOP SECRET//COMINT//NOFORN
(TS/ /SII/NF) was the software tool

interface used by analysts to manually query the BR FISA chain summaries in at the time the EAR was implemented. The EAR is written into the middleware. As a BR-cleared analyst logs i n t o - ' the
6

Authentication Service determines if the user is approved for access to the BR FISA metadata. However, before the middleware will execute the query, the EAR requires that it access a - database that contains the disposition of RAS-approved identifiers. - n o w obtains from HSAC, on an approximately hourly basis, the most up-to-date Station Table with the current list ofRAS-approved identifiers. (The Station Table serves as NSA' s definitive list of identifiers that have undergone RAS determinations.) Upon obtaining the RAS-approval status of the query "seed," the EAR determines whether to allow the middleware to conduct the query or prohibit it. Additional "hop" queries will be permitted by EAR as long as the lineage of an identifier resolves back to a RAS-approved "seed." As discussed further below, NSA began to implement in late July 2009, which, as an additional middleware software

restrictive measure, will limit the number of hops pemlitted from a "seed" to three, in accordance with the Court's Orders. As of31 July 2009, access to the FISA contact chaining repository can only be achieved through use of (discussed below). All prior versions o f - have been locked out from access to this data.
R

(U) Middleware is a general term for any programming that serves to "glue together" or mediate between tlvo separate and usually already existing programs. A common application ofmiddleware is to allow programs ;vritten for access to a particular database to access other databases.

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

79

TOP SECRET//COJVllNT//NOFORN (TS//SII!NF) To further mitigate the possibility of additional instances of noncompliant querying of the BR FISA material, NSA created a software interface (Action 2) that requires authorized analysts affirmatively to invoke an option (or "opt in") for access. This "opt in" measure was designed prior to the end-to-end review to ensure that analysts know when they have accessed t h e - BR FISA metadata repository. As an additional remedy (Action 3) and to ensure queries against the BR FISA metadata are evaluated against the most current list of RAS-approved identifiers, NSA now ensures t h a t - , the system that is used for contact chainin~gainst the BR FISA repository, is updated on an hourly basis with the most current list ofRASapproved identifiers from the Station Table. (TS//SI/!NF) The software measures described in Actions 1 and 2 above were tested b y - technical personnel at the component level via unit tests, a methodology used to verify that individual units of source code are working properly. Each affected software component was modified as necessary, and then specific tests were conducted to ensure the proper operation ofthat sofuvare component. For Action 1, the test methodology for the EAR sofuvare consisted of standard component testing. The tests included attempts to query with both approved and non-approved identifiers. Queries against approved identifiers ran successfully, while queries against non-approved identifiers failed. As the deployment of the EAR was done with urgency to remedy this compliance issue, initial testing was conducted over a period of two days. For this reason, the full test suite was re-run the week following the EAR's implementation toreverify test results. The testing was judged to be complete and no "bugs" or deficiencies were found. For Action 2, the test included attempts to use the approved user interface

TOP SECRET//COMINT/!NOFORN

31 August 2009 Production

80

TOP SECRET//COMJNT//NOFORN
(which operated correctly) and the prohibited user interfaces (which failed). Action 3 was tested by verifying receipt of the expected update file on an hourly basis, comparing the file sizes of the file-sent and file-received, and automated production of an e-mail verifying that the status changes had been applied to the operational system. Following testing, the system was demonstrated to show correct operation to TD leadership, members of the HSAC, SID Oversight & Compliance, and NSA's Office of General Counsel (OGC). Subsequent inspection of system logs, to include an audit of activity from l March -1 June 2009, conducted by SID Oversight & Compliance, provided additional verification that the system was operating correctly.

(TS//SI/INF) U.S. Identifiers Designated as RAS-Approved without OGC Review


(TS//SII/NF) Benveen 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HJVt:Cs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA' s OGC had not reviewed and approved their use as "seeds" as required by the Court's Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RASapproved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies. 7

(TS//SI/11\TF) The alerts generated by the Telephony Activity Detection Process did not then and does not now, feed the NSA counterterrorism target knowledge database described in Part I.A.3 below.

TOP SECRET//COMJNT//NOFORN

31 August 2002 Production

81

TOP SECRET//COMINT//NOFORN (TS//SI/INF) Another historic incident of non-compliance, uncovered during the end-to-end review, relates to errors made in the process of implementing the initial BR FISA Orders in 2006, when a few domestic telephone identifiers were designated as RAS-approved and chained without OGC approval due to analyst errors. For example, a process error occurred when an analyst inadvertently selected an incorrect option which put the domestic telephone identifier into a large list of foreign identifiers which did not require OGC approval as part of the RAS approval process. The HMC failed to notice the domestic identifier in the large list of foreign identifiers at the time, and once the RAS justification was approved, the domestic telephone identifier was chained without having first gone through an NSA OGC First Amendment review as required by the BR FISA Orders. NSA estimates that this type of analyst error occurred only a few times. Each time an error of this type was identified through NSA' s quality control regime, senior HMCs provided additional guidance and training to analysts, as appropriate, and the incorrectly approved identifier was changed to non-RAS approved and then re-submitted for proper approval and OGC review. (TS//SI/!NF) Use of Correlated Identifiers to Ouerv the BR FISA Metadata (TS//SI/INF) The end-to-end review uncovered the fact that NSA's practice of using correlated identifiers to query the BR FISA metadata had not been fully described to, nor approved by, the Court. An identifier is considered correlated with other identifiers when each identifier is shovm to identify the same communicant(s). -

-TOP SECRET//COMINT//NOFORN

31 August

200~

Production

82

TOP SECRET//COlVITNT//NOFORN

(TS//SV/NF) NSA analysts authorized to query the BR FISA metadata routinely query the BR FISA metadata without a separate RAS determination on each correlated identifier. In other words, if there was a successful RAS determination made on any one of the identifiers in correla and all of the correlated identifi

were considered RAS-approved for purposes of the query because they were all associated with NSA obtaine correlations from a

variety of sources to include Intelligence Community reporting, but the tool that the analysts authorized to query the BR FISA metadata primarily used to make correlations is

TOP SECRET//COMINT//NOFORN

31 August 2009 Production

83

TOP SECRET//COMINT//NOFORN

(TS//SI/INF) that holds correlati interest, to include results from

-a database between identifiers of was the primary means by which

correlated identifiers were used to query the BR FISA metadata. On 6 February 2009, prior to the implementation of the EAR, access to BR FISA metadata was disabled, preventing from

providing automated correlation results to BR FISA-authorized analysts. In addition, the implementation of the EAR on 20 February 2009 ended the practice of treating correlations as RAS-approved in manual queries conducted

IIIII

since the EAR requires each identifier to be individually RAS-approved prior to it being used to query the BR FISA metadata. NSA ceased the practice of treating correlations as RAS-approved within the in conjunction with the March 2009 Court Order.

(TS//SI//N-p) As discussed a b o v e - is the sofuvare tool L11terface used by analysts to manually query the BR FISA chain summaries i n - . The latest version of as noted above, limits the number of "hops"

TOP SECRET//COlVU:NT//NOFORN

31 August

200~

Production

84

TOP SECRET//COMINT/!NOFORN permitted from a "seed" to three, in accordance with the Court's Orders. During testing of the beta version o the hop restriction, a feature and its hop restriction, NSA determined that, despite could

be invoked to provide an analyst with the number of unique contacts for a third-hop identifier, a type of information that would otherwise only be revealed by a fourth hop. 9 This feature did not return to the analyst any information on the contacts of the last selector in a contact chain other than their total number of unique contacts. After consultation with NSA OGC, t h e - feature in the beta version o was disabled for last-hop identifiers. 10 This corrected versjon deployed to select users beginning on 23 July 2009. (TS//SI/!NF) T h e - feature was not exclusive to the beta version of prior versions o - , since its first delivery beginning in late 2001/early 2002, provided analysts t h e - feature. In prior versions of - Look Ahead was generally the same: if an analyst a c t i v a t e d - in his or her preferences his or her BR FISA contact chaining query results would include the number ofunique contacts for each returned identifier, including for identifiers in the third hop from the RAS-approved seed. was

(S) NSA discovered this issue subsequent to finalization of the end to end report. DoJ, National Security Division (NSD) personnel were notified of the feature on 29 July 2009, and orally notified Court Advisors on 30 July 2009. was notified of this matter with a notice filed on 4 August 2009 in accordance with Rule 10( c) of the FISC Rules of Procedure.

TOP SECRET//COMINT/!NOFORN

31 August 20GB Production

85

TOP SECRET//COMINT//NOFORN (TS//SI!/NF) On 24 July 2009, HSAC instructed all persons authorized to query the BR FISA metadata not already using to migrate to as soon

as possible and uninstall all previous versions of t h e - softw-are. As of31 July 2009, access to t h e - BR FISA contact chaining repository can only be achieved through use o All prior versions o f - have been locked

out from access to this data. Following the lock out of all p r i o r - versions, the system was demonstrated to show correct operation to TD leadership, the Chief HSAC, and members of SID's Oversight & Compliance. Should the Court authorize additional analysts to query the BR FISA metadata, NSA will ensure that they only do so with or its successor that likewise does not p e r m i t - to display the number of unique contacts for a third-hop identifier in the BR FISA metadata. (TS//SII/NF) NSA identified two common practices used by BR metadata analysts that mitigated potential for non-compliance, First, although NSA analysts

were permitted three hops in the BR FISA metadata from a RAS-approved seed, in practice NSA analysts infrequently chained out beyond the second hop. Second, because its use resulted in slower queries. To the extent t h a t - was used with BR FISA metadata, NSA has concluded, based on discussions w i t h - users, that the information returned by - w o u l d not have been disseminated. Instead, - a d i.J.lformation was used by NSA personnel for target development purposes. The number of unique contacts of a third-hop identifier assisted analysts in determining whether the third-hop identifier was one of genuine interest or not, such as a - identifier that might be added to a defeat list

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

86

TOP SECRET//COMINT//NOFORN

3. (U//FOUO) Improper Access to or Handling of the BR FISA Metadata (TS//SI/11\TF) Data Integritv Analysts' Use ofBR FISA Metadata (TS//SII/NF) As part of their Court-authorized function of ensuring BR FISA metadata is properly formatted for analysis, Data Integrity Analysts seek to identify numbers in the BR FISA metadata that are not associated with specific users, e.g., "high volume identifiers."

. NSA determined during the end-to-end review that the Data Integrity Analysts' practice of populating non-user specific numbers in NSA databases had not been described to the Court. (TS//SII/NF) For example, NSA maintains a database, which is widely used by analysts and designed to hold identifiers, to include the types of non-user specific numbers referenced above, that, based on an analytic judgment, should not be tasked to the SIGINT system. In an effort to help minimize the risk of making incorrect associations betvveen telephony identifiers and targets, the Data Integrity Analysts provide~ included in the BR metadata to A small

number o f - BR metadata numbers were stored in a file that was accessible by the BR FISA-enable~, a federated query tool that allowed approximately 200 analysts to obtain as much information as possible about a particular identifier of interest. Both and the BR FISA-enable~ allowed analysts outside of

those authorized by the Court to access the non-user specific number lists.

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

87

TOP SECRET//COMINT//NOFORN
(TS//SI/INF) In January 2 0 0 4 , - engineers developed a "defeat list" process to identify and remove non-user specific numbers that are deemed to be of little analytic value and that strain the system's capacity and decrease its performance. In building defeat lists, NSA identified non-user specific numbers in data acquired pursuant to the BR FISA Order as well as in data acquired pursuant to EO 12333. Since August 2 0 0 8 , - had also been sending all identifiers on the defeat list to t h e -

(TS//SI/INF) while the positive impacts that result in making these numbers available to analysts outside of those authorized by the Court seem to be in keeping with the spirit of reducing unnecessary telephony collection and minimizing the risk of making incorrect associations between telephony identifiers and targets, upon identifying this as an area of concern NSA took several remedial actions to end these practices. As of
2 May 2009, NSA quarantined the BR-derived identifiers on

On

12 May 2009, NSA shut off access to the file containing the small number of BR-derived identifiers by the BR FISA-enabled- tool. On 11 May 2009, - r e m o v e d eight BR FISA identifiers from its SIGINT-only defeat list. (TS//SI/INF) To verify the technical measures taken were successful, from 1-2 May 2009, technical personnel segregated and deactivated BR FISA-derived data in previously entered by the Data Integrity Analysts. The database is hosted in ~ database. Each record contains a STATUS field that is either set to "ACTIVE" or "DELETE." If the STATUS field is set

TOP SECRET//COMINT//NOFORN

31 August 20Qj Production

88

TOP SECRET//COMINT//NOFORN to "ACTIVE," then the selector is a valid phone number and is being used for a purpose of which NSA is not interested; however, the record is available for query by analysts and follow-on systems. If the STATUS field is set to "DELETE," then the record is unavailable to analysts or other systems. In order to segregate and deactivate the BR FISA-derived records, the decision was made to change the STATUS field from "ACTIVE" to "DELETE," which means that the number is unavailable to NSA analysts or other systems. Due to the volume of entries, a program was written and executed to change the status. (TS//SIJINF) After testing the program on a small sampling of data and the test results were found to be accurate, the program was executed. Technical personnel monitored initial execution and performed a series oftests to validate the results. At the completion of program execution, Technical Personnel again performed those tests to validate the results. The validation testing was performed three times and results were consistent. (TS//SIIINF) The Primary Order in docket number BR 09-09, dated 9 July 2009, now permits NSA to use certain non-user specific numbers a n d - identifiers for purposes of metadata reduction and management. (TS/ /SI//NF)
Ha:mllin~

of BR FISA Metadata

(TS//SIJfN-p) The end-to-end review uncovered that NSA's data protection measures were not constructed exactly as the Court Order sets out. Specifically, while the Order requires processing of the data to be carried out on "select" machines using "encrypted communications," the protections NSA affords the data, though different, are quite effective. NSA provides strong and robust physical and security access controls,

TOP SECRET//COMINT//NOFORN

31 August

206~

Production

89

TOP SECRET//COMINT//NOFORN

but there are not specifically designated machines on which the technical personnel are required to work nor are the communications encrypted. To accurately reflect NSA' s data protection measures, NSA worked with the Department of Justice (DoJ) to revise the orders proposed to and ultimately adopted by the Court in docket number BR 09-06. (TS//SI//NF) Data Integrity Analysts sometimes pulled samples of BR metadata onto a non-audited group/shared directory to carry out authorized activities. While the Data Integrity Analysts are authorized to access the data, they are not authorized to move it from the auditable repository into a shared directory where analysts, BR-cleared and otherwise, could have viewed the data. This shared folder was in essence a work space in which the Data Integrity Analysts could perform their authorized activities. There is, however, no reason to believe that analysts, BR-cleared or otherwise, accessed the BR rnetadata through the shared directory: only a small group of non-cleared analysts had access to the files on this server and it would have been outside the scope of their duties to access the BR metadata samples on the group/shared directory. It is also unlikely that any of the cleared analysts would have accessed this data. As an extra safeguard, NSA has implemented additional access controls that provide appropriate storage areas for the samples of BR FISA metadata used by Data Integrity Analysts for technical purposes.
(TS//SI//NF) Svstem Developer Access to BR FISA Metadata while Testin2 New Tools

(TS//SI//NF) During the revieYv NSA discovered that a group of software developers designing a next generation metadata analysis graphical user interface (GUI), is the replacement f o r - and uses the same authentication/authorization mechanism a s - ) , had queried the BR FISA metadata 20 times while running tests between September 2008 and February 2009.

TOP SECRET//COIVIINT//NOFORN

31 August 20G9 Production

90

TOP SECRET//COMINT//NOFORN This access occurred due to the dual responsibilities of the individuals involved. The developers on also have maintenance responsibilities of the

operational s y s t e m , - , where their access to BR FISA is warranted on a continual basis. 'While the actions were in keeping with the Court Orders in place at the time of the queries, under the current Court Order the developers will require OGC approval prior to engaging in their development and testing activities. (TS//SIIINF) 'When this issue surfaced, NSA implemented a software change on 19 March 2009 to prevent the Gill from accessing BR FISA

metadata regardless of the user's access level or the RAS status of the identifier. 11 This change was tested personnel via a demonstration that the developers a n d - technical could not be used against

BR FISA metadata even when a BR FISA-cleared user attempted to do so. NSA also implemented an oversight process whereby all BR FISA-authorized technical personnel who have both maintenance and development responsibilities have their accesses to BR FISA metadata revoked when involved in new systems development, except when granted by NSA's OGC on a case-by-case basis. This process will ensure no inadvertent access to the data until such time as these technical personnel receive OGC authorization to access BR FISA metadata to test technological measures designed to enable compliance with the Court Order. SID Oversight & Compliance is notified each time anyone's permission to access the BR FISA metadata is changed and tracks these changes for compliance purposes.

11

(TS//SV/NF) As of 20 February, EAR would have prevented any query made through

~UI that included a non-R.A_S-approved identifier.

th91

TOP SECRET//COMINT//NOFORN

31 August

20fi~

Production

TOP SECRET//COMINT//NOFORN (TS//Sl/INF) External Access to Unminimized BR FISA Metadata Ql]erv Results

(TS//SII/NF) During the end-to-end review, NSA's Review Team learned that analysts from the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI), and National Counterterrorism Center (NCTC) had access to unminimized BR FISA query results via an NSA counterterrorism target knowledge database. This matter is discussed in more detail below in Section II.
4. (TS//SI/INF) Lack of a Shared Understanding of the BR Program (S//NF)

(TS//SII/NF) The end-to-end revie\V surfaced an issue concerning proper auditing of the In addition to t h e - BR FISA

chaining summary repository in which contact summaries are stored and where the bulk of metadata analysis takes place, a separate database, - stores particular fields from each record (as opposed to summaries of those records). This database is used regularly by the Data Integrity Analysts but is also accessible by other analysts authorized to query the BR FISA metadata. When a report is to be issued based on analysis conducted in the repository of contact summaries, analysts often verify what they intend to report by accessing the records in this second data repository. The end-to-end review uncovered the fact that this second database had not been audited. In response, NSA modified the database to enhance its auditability and NSA has audited every query made in the database since February 2009 and found no indication of improper queries. 12

(TS//SII/NF) Although suffered a system crash in September 2008, NSA was ultimately ab to recover c1ent NSA Oversight & Compliance personnel to conduct sample audits of queries since the Order's inception. These sample audits revealed no unauthorized access to nor improper queries against the BR FISA metadata.

12

TOP SECRET//COMJNT//NOFORN

31 August

200~

Production

92

TOP SECRET//COlVITNT//NOFORN

(TS//SI//NF) Provider Asserts That Foreign-to-Forei~n Metadata Was Provided Pursuant to Business Records Court Order
(TS//Sl//NF) The end-to-end review team learned

Section ill.
B. (U) l\flNIMIZATION AND OVERSIGHT PROCEDURES

(TS//Sl//NF) In addition to the steps taken to remedy the specific issues identified above, NSA plans to institute additional oversight and compliance processes designed to ensure that NSA will comply with any order authorizing NSA to resume regular access to the BR FISA metadata. (TS//Sl//NF) Several additional procedures already have been incorporated into the Court's Primary Order in docket number BR 09-09. The Primary Order now imposes additional access controls for technical personnel. In the past, NSA had logged queries to the BR metadata by analysts and briefed only those analysts on the authorization granted by the Orders. Now, the Orders require NSA to log access to the BR FISA metadata by technical personnel as well as by analysts, and to brief technical personnel, as well as analysts, on the authorization granted by the Orders. See Primary Order, docket number BR 09-09, at 9-10. These tightened controls should provide greater accountability for any decision to access the BR FISA metadata and will educate all personnel, particularly those who set up the tools and processes for accessing the BR FISA metadata, about the rules governing access and use. Additionally, the Primary Order now incorporates mechanisms to better ensure that the results of queries to the BR FISA metadata are

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

93

TOP SECRETIICOMINTI/NOFORN treated in accordance with the Court's Orders. Specifically, NSA is now providing weekly dissemination reports to the Court and analysts not cleared to query the metadata are not permitted access to query results before they receive appropriate training. See id. at 10-12. (TSII ISIIINF) The current Primary Order also incorporates the additional oversight procedures first proposed by the government in its application in docket number BR 09-01. See id. at 8, 13-14. In general, those additional oversight procedures require greater coordination between various NSA components and DoJ's National Security Division concerning implementation and interpretation of the Orders. They also require that the Court approve the implementation of any automated process involved in the querying of the BR FISA metadata. These additional procedures are designed to eliminate the risk of incorrect legal interpretations, to ensure timely notice to DoJ and the Court of material issues, and to ensure that any automated query process has been tested and demonstrated to be compliant with the Orders, and approved by the Court, before implementation. (TSIISI/INF) NSA will also propose several new minimization and oversight procedures in the application seeking the renewal of docket number BR 09-09. The application will request authority for NSA to resume approving telephone identifiers for contact chaining First, the application will propose that NSA re-

visit its RAS determinations at certain intervals: at least once every one hundred and eighty days for U.S. telephone identifiers or any identifier believed to be used by a U.S. person; and at least every year for all other telephone identifiers. This new re-validation procedure is designed to ensure that for as long as NSA queries the BR FISA metadata

TOP SECRETI ICOMJNTI INOFORN

31 August

200~

Production

94

TOP SECRET//COMINT/!NOFORN
with RAS-approved telephone identifiers, those identifiers will continue to meet the Ri\S standard. Second, the application will propose an express requirement that, where NSA has affirmative information that a RAS-approved telephone identifier was, but may not presently be, or is, but was not formerly, associated with a Foreign Power, analysis and minimization of results of queries using that identifier be informed by that fact. This requirement is designed to focus NSA's analysis on the period for which the RASapproved telephone identifier is associated with a Foreign Power. (TS//SV!NF) NSA has recently reviewed and revalidated the oversight documentation governing the BR FISA. This documentation consists of a set of Standard Operating Procedures (SOPs). These SOPs address: access to BR FISA metadata; BR FISA audit procedures; compliance notifications; DoJ and NSA OGC spot checks; and the respective roles of various NSA personnel involved in oversight and compliance activities. (TS//SII/NF) More recently, NSA' s Associate Directorate of Education and Training (ADET) has redesigned the BR FISA training package to ensure common and expert level proficiency in the rules and procedures governing appropriate handling of the BR FISA metadata. ADET, together -vv1th NSA OGC and the SID Oversight & Compliance organization, has developed and is in the process of implementing a series of on-line training modules, complete Vvith competency testing, specifically addressing activities conducted with respect to the BR FISA Order. M:oreover, an oral competency test is cuirently being administered to each Homeland Mission Coordinator at the completion of the training they are currently receiving to ensure they understand the restrictions governing access to the BR FISA metadata.

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

95

TOP SECRET//COl\1INT//NOFORN
(TS//SV/NF) Should the Court approve the application seeking the renewal of docket number BR 09-09 and grant NSA authority to resume approving telephone identifiers for contact chaining SA will update its SOPs and

training package for the BR FISA to account for the change in authority and the new procedures associated with that change. (TS//SV/NF) NSA has implemented and intends to implement additional software restrictions and changes to the BR metadata system architecture. As discussed above, NSA implemented a software change, July 2009 to restrict analyst

queries to the number of hops authorized by the Orders. 13 Furthermore, NSA is revamping its baseline system architecture, to include formal system engineering of all aspects governing the interaction of analysts and processes. Using principles of system engineering, configuration management, and access control, NSA has explored a future implementation of the BR FISA program to be used should the Court authorize NSA to resume regular access to the BR FISA metadata. This architecture has the potential to offer more effective management of the system as a whole, and a team of employees will collaborate to manage the entire system. The single approach, providing visibility into the overall structure of the system to the entire team, together with the technology solutions discussed above, vvill help prevent an isolated decision to connect a tool or process to the BR FISA database. (TS//SV/NF) In addition, requirements from the Court Order will be formally translated by NSA into system requirements prior to any changes to the system

(S) NSA OGC granted a~velopers to access BR FISA metadata for the specific purpose of testing and demonstrating~
13

TOP SECRET//CO:MJNT//NOFORN

31 August 200~h Production

96

TOP SECRET//COMINT//NOFORN
architecture, which should prevent problems such as the misunderstanding among different personnel as to how the Telephony Activity Detection Process functioned. Finally, NSA has recently created the new position of Director of Compliance, reporting directly to me and the Deputy Director ofNSA. The Director of Compliance has fulltime responsibility in this area. The Director of Compliance will be responsible for continuous modernization and enforcement of our mission compliance strategies and activities to ensure their relevance and effectiveness. At the same time, this new position will serve as an ongoing reminder of the importance of compliance work, and provide greater visibility and transparency in this essential area. (TS//Sl/INF) The Court entrusted NSA with extraordinary authority, and with it came the highest responsibility for compliance and protection of privacy rights. In several instances, NSA implemented its authority in a manner inconsistent with the Orders, and some of these inconsistencies were not recognized for more than tvvo and a half years. These are matters I take very seriously, and the changes NSA has made and will make as a result of the end-to-end review, with regard to both analyst access and the handling of data, are intended to address them directly and to provide an environment for successful implementation and management of the program should the Court decide to authorize NSA's resumption of regular access to the BR metadata. The technological remedies discussed herein have remedied the identified instances of noncompliance and should significantly improve future compliance with the Colli-t1s Orders. I attest that each of these remedies has been tested and demonstrated to be successful insofar as each functions as intended. Although no corrective measures are infallible, I believe that this more robust regime and the technological remedies NSA has instituted, particularly the

TOP SECRET//COMINT//NOFORN

3 1 Au g u s t 2 0 0 Ss Pr o d u c t i o n

97

TOP SECRET//COMJNT//NOFORN

implementation of the EAR, represent significant steps to reduce the possibility of any future compliance issues and to ensure that mechanisms are in place to detect and respond quickly if a compliance incident were to occur.
II. (TS//SI//NF) PRE-JUNE 2009 BR FISA DISSEMINATION PRACTICES

(TS/ /SIIINF) In a 16 June 2009 notice to the Court, the government reported that NSA had provided personnel from CIA, FBI, and NCTC access to a database that contained, among other things, some unminimized results ofBR FISA metadata queries. NSA did not make all, or even most, BR FISA query results available via this database. Instead, NSA placed only certain BR FISA query results in the database, generally in response to specific requests for information received from specially-cleared personnel from NSA, CIA, FBI, or NCTC. (TS//SII/NF) In response to this compliance incident, the Court issued an order on 22 June 2009 which directed NSA to provide the Court with "a full explanation of why the government has permitted the dissemination outside NSA of U.S. person information without regard to whether such dissemination complied with the clear and acknowledged requirements for sharing U.S. person information ... pursuant to the Court's orders" in the BR docket. This section responds to the Court's Order for a full explanation of how this compliance incident occurred. It also describes actions NSA has taken to investigate and remediate the problem.
(S//NF)

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

98

TOP SECRET//COMINT//NOFORN

(TS) The BR FlSA end to end report stated that approximately 200 external analysts were permitted access to the database; further investigation revealed that the number is actually closer to approximately 250.

14

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

99

TOP SECRET//CO:MINT//NOFORN

(TS/ /SI//NF) The Court's 2006 BR FISA Order authorized NSA to acquire the

TOP SECRET//COl\11NT//NOFORN

31 August

200~

Production

100

TOP SECRET//COMINT/!NOFORN

(U//FOUO) In contrast, USSID 18 permits NSA to disseminate outside ofNSA information identifying U.S. persons if the U.S. person information is necessary to understand foreign intelligence or assess its importance. US SID 18 also permits the Deputy Chief of Information Sharing Services, among others, to approve disseminations of U.S. person identifying information.

15

TOP SECRET//COMINT/!NOFORN

31 August

200~

Production

1 01

TOP SECRET//COMINT//NOFORN

(U) Discovery and Response to the Problem (TS//SII/NF) In June 2009, during the course ofNSA's end-to-end review ofthe Agency's implementation of the BR Order, NSA identified as a compliance matter the use of the database to make unminimized BR an~uery results available to FBI, CIA, and NCTC. NSA personnel also determined that, despite the disabling of the hyperlink button in July 2008, external analysts could have continued accessing the database if they retained the Uniform Resource Locator (URL) address for the database . .At"ter this problem was identified on 11 June 2009, NSA immediately began terminating individual external customer account access to the target knowledge database. NSA completed this action by 12 June 2009. (TS//SII/NF) To determine why this compliance issue occurred, NSA spoke with the senior analysts and oversight personnel who were aware of the Court-ordered minimization requirements and of how the database was used. These conversations revealed NSA personnel generally followed the minimization requirements when the Agency issued formal reports based on queries of the metadata acquired pursuant to the Court's BR FISA Orders. However, even though the applicability of the minimization requirements to the shared database is clear in hindsight, until the issue was discovered during NSA's end-to-end revi

dissemination procedures required by the Court's Orders.

TOP SECRET//COMINT//NOFORN

31 August 20093 Production

102

TOP SECRET//CO:MJNT//NOFORN (TS//SI//NF) Since identification of this matter, NSA has attempted to determine the actual extent of access to the database and/or use of the B~etadata. As part of that effort, the Agency has conducted a detailed audit of log-in activity of external analysts from each of the participating organizations. 16 The audit revealed that no external analysts accessed the database after January 2009. Prior to that, approximately 250 analysts had permission to access the database but only about one-third actually did so. Of that number, only approximately 47 external analysts did more than log in and change their passwords. These approximately 4 7 external analysts appear to have queried the database in the course of their counterterrorism responsibilities and they accessed directories that contained the results o - BR queries, including unminimized U.S. person-related information. The BRI-erived U.S. person information consisted of unmasked telephone numbers or email addresses that were returned in response to RAS-approved queries made of the underlying metadata. (TS//SI//NF) In addition to the audits, NSA also asked CIA, FBI, and NCTC to describe how their personnel made use of their access to the database. 17 The NCTC employees with access to the database reported that they did not make use of any unminimized B~uery results in any NCTC analytic products. Only two FBI analysts accessed this database while researching counterterrorism leads. Several other

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

10~

TOP SECRET//COMINT//NOFORN
FBI analysts believe they may have accessed the database while working closely with a team of FBI analysts [FBI Team 1OJ who were detailed to NSA and working under NSA's control,l 8 The FBI reported that none of the external FBI analysts published or disseminated anything as a result of their access to the database and FBI believes that it is "highly unlikely that any FBI-published analytical products or investigative reports ever contained this data" from the database. CIA reported that some of its personnel who were approved for access to the compartmented counterterrorism program used information in the database for lead purposes, to include as a basis for initiating counterterrorism discussions between CIA and FBI personnel. However, CIA's review indicated that any information contained in the database, to include-BR metadata chaining results, "was used very rarely in finished intelligence products produced by CIA analysts for senior policymalcers." Instead, information obtained from CIA's access to the database was usually used "in conjunction with reporting from other intelligence sources."

TOP SECRET//COMINT//NOFORN

31 August 20QQ Production

104

TOP SECRET//CO:MINT/fl\JOFORN

(S//SI/!NF) NSA has corrected the problem in this specific instance by terminating all external access to the database in question. Beyond that, the Agency recognizes that the underlying issue is the need to identify all areas of activity that are subject to these Court Orders and/or other legal restrictions and conditions, in order to ensure compliance. Ibis requires several elements, including an accurate end-to-end picture of how data is handled-- by technical (e.g., systems administrators) and operational personnel alike -- from collection through dissemination; ongoing oversight, training, and compliance efforts; and system testing procedures that give assurance that data is actually being handled as required. NSA has instituted measures in all these areas, as described in detail in the report on the Agency's end-to-end review. In addition, as discussed above, NSA has created the new position of Director of Compliance to ensure that NSA has a comprehensive and effective compliance program and maintain heightened attention in this particular area. NSA continues to work to discover and correct any outstanding issues and avoid any recurrence.
(U) Dissemination of U.S. Pe:rson Identifying Information

(TS//SI//NF) Wilen an NSA analyst determines that information identifying a U.S. person needs to be included in a report, a designated NSA approving official must authorize the release. 19 The Information Sharing Services office is generally the

19 (TS//SI/INF) The designated approving official does not make a detemrination to release U.S. person information requested by DoJ or DoD personnel in connection with prudential searches, such as those

TOP SECRET//COIVDNT/fl\JOFORN

31 August

200~

Production

105

TOP SECRET//COMINT//NOFORN
responsible entity for approving such releases. Within the context of EO 12333 collected information, the release authority includes the Chief and Deputy Chief, Information Sharing Services, SID Director and Deputy Director, Senior Operations Officer (S00)/0 DIRNSA, and Deputy DIRNSA. In the EO 12333 context, the approving authority must determine that the infom1ation is related to a foreign intelligence purpose, and that the U.S. person information is necessary to understand or assess the value of the information.

NSA followed US SID 18 procedures for the dissemination of U.S. person identities and did not appropriately implement the additional requirements identified in the Court orders for a determination that the information is related to counterterrorism information. Furthermore, NSA did not implement appropriate procedures reflecting the fact that individuals other than the Chief, Information Sharing Services were not specifically authorized to grant the release of U.S. person information. Although NSA now understands the fact that only a limited set of individuals are authorized to approve these releases under the Court's authorization, it seemed only appropriate at the time to allow her Deputy or those acting in her capacity to be delegated with this authority as well. (TS//SI/!NF) On 18 June 2009, NSA advised the Office of Information Sharing Services that the chief of that office was the only NSA official authorized to approve the

conducted for criminal or detainee proceedings. In the case of such requests, NSA's Litigation Support Team conducts specific prudential searches ofNSA holdings but these prudential searches do not include or result in queries of the BR FISA metadata.
20

(S) The SOO is the Senior Operations Officer, in charge of the National Security Operations Center, NSA's 24/7 operations center. The SOO acts in place of the DIRNSA, when the DIRNSA is unavailable. The Court's Order dated 29 May 2009 recognized that the SOO may approve disseminations for after-hours requests.

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

106

TOP SECRET//CUMJNT//NOFORN
dissemination of any U.S. person identity derived from BR FISA metadata and that the chief must make the required fmdings and document those fmdings prior to any such dissemination. Moreover, on 9 July 2009, in docket number BR 09-09, the Court increased the numbers of individuals permitted to approve disseminations to include the Chief, Information Sharing Services, the SOO, the SID Director, the Deputy Director of NSA, and the Director ofNSA.
(U) Review of Prior Disseminations

(TS//SI!INF) On 29 July 2009, members ofDoJ/NSD's Office of Intelligence Oversight Section completed a review of all BR FISA disseminations containing U.S. person identities in order to determine who approved the disseminations and what determinations were made, if any, by the approving official. (TS//SI//NF) The NSD review identified 280 disseminations of reports containing BR FISA-derived U.S. person identities. Of the 280 disseminations, 92 were approved by the Chief of Information Sharing Services, 170 were approved by the Deputy Chief of Information Sharing Services, 15 were approved by a SOO, one was approved by an acting Chief of Information Services, and two were approved by an acting Deputy Chief of Information Sharing Services. The disseminations authorized by persons other than the Chief of Information Sharing Services did not occur during any particular time frame. Rather, they were distributed throughout the lifespan of the collection. (TS//SI//N"F) Of the 280 disseminations of reports containing BR FISA-derived U.S. person identities, 74 were made in 2006, 101 were made in 2007, 95 were made in 2008, and ten were made in 2009. The waiver forms authorizing each of the disseminations in 2006 and 2007, 17 5 in total, contained no particularized finding relating to the purpose of the dissemination. Beginning in July 2008, however, the

TOP SECRET//COMJNT//NOFORN

31 August 2008Production

107

TOP SECRET//COMINT//NOFORN authorizing waivers contained a general fmding that the U.S. person identity was foreign intelligence or necessary to understand foreign intelligence. Of the 95 disseminations approved in 2008, 82 contained no fmding and 13 contained the foreign intelligence finding. Beginning in January 2009, the authorizing waiver contained specific counterterrorism fmdings as required by the Court's orders. Eight of the ten waivers issued in 2009 contained this finding. The last two disseminations in 2009, one in May and one in June, however, had only the more general foreign intelligence fmding in the waivers. (TS//Sli/NF) NSA also reviewed its records of all reports issued that may have included BR FISA-derived infonnation, including the records of reports written by analysts not specifically authorized to query the BR FISA metadata. 21 NSA did not discover any additional reports that were issued by non-BR cleared analysts.
ill. (TS//SI/INF) NSA'S COLLECTION OF FOREIGN-TO-FOREIGN CALL DETAIL RECORDS PURSUANT TO THE BR FISA ORDERS
(S

(TS//SI/

(TS//SV/N""F) To identify the total number of reports produced and disseminated that contained BRderived information, the NSA reviewed all analyst reporting records, including the records of reports written by non-BR-cleared analysts. Vilhen drafting reports, all NSA analysts, including both BR-cleared analysts and non-BR-cleared analysts, are trained to include in any reporting record the sources of the information contained in a report. The NSA's review included an examination of these records, including the fields of each record -that might include references to BR-derived source information. The NSA then audited the reports that referenced BR-derived information as a source, and excluded those that referenced BR sources but in fact that did not contain BR-derived information. Through this methodology the NSA was able to determine that 280 were reports were produced and disseminated. Admittedly, this methodology would not account for reports issued with BR-derived data that mistakenly failed to reference BR sources.

21

TOP SECRET//COMJNTIINOFORN

31 August 20099 Production

TOP SECRET//COMINT//NOFORN

TOP SECRET//CO:MJNT//NOFORN

31 August

200~

Production

109

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

11 0

TOP SECRET//COMJNT//NOFORN

(TS//SVINF) In May 2009, during a discussion between NSA and regarding the production of metadata, produced the representative stated that pursuant to the BR FISA Orders. This of its contrary

was the flrst indication that NSA had ever received

understanding. At the May 28, 2009, hearing in docket number BR 09-06, the government informed the Court of~ To address the issue, based on the government's proposal, the Court issued a Secondary Order to
in docket number

BR 09-06 that expressly excluded foreign-to-foreign call detail records from the scope of

TOP SECRET//COM.INT//NOFORN

31 August

200~

Production

111

TOP SECRET//COMINT//NOFORN
records to be produced. On May 29,2009, upon service ofthe Secondary Order in docket number BR 09-06,
vva.,._,u

providing foreign-to-foreign records-

almost all ofthem concern the communications of non-U.S. persons located outside the United States. IfNSA were to fmd that any of the records concerned U.S. persons, their dissemination would be governed by the terms ofUSSID 18 which are the procedures established pursuant to EO 12333, as amended.

TOP SECRET//COMINT//NOFORN

31 August 20Ge Production

11 2

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

113

TOP SECRET//CO"MINT//NOFORN

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

11 4

TOP SECRET//COMINT//NOFORN

(TS//SII!NF)

TOP SECRET//COMJNT//NOFORN

31 August

200~

Production

115

TOP SECRET//COJVUNT//NOFORN

IV. (TS) NSA'S TREATMENT OF CREDIT CARD DATA CONTAINED IN BR FISA l\IIETADATA (TS//SI/ /NF) As first noted in a report to the Court in docket number BR 06-08, and noted in footnote 10 in the Application in docket number BR 09-09, a small percentage of records received tained credit card numbers in

one of the fields when a caller used a credit card to pay for the call. Exhibit B, docket number BR 06-08, at 6-8. At NSA's request, removed credit card

numbers from this field in the records it provided NSA starting on 10 July 2006, and 11 October 2006, respectively. Exhibit B, docket number BR 06-12, at 5-7. Since that time, NSA spot checks have confirmed tha to remove

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

11 6

TOP SECRET//COMINT//NOFORN

credit card numbers from the relevant field. Also since that time, NSA spot checks have identified only one record containing a credit card number. That record contained a credit card number in a field different from the field filtered NSA identified this record during a spot check in approximately March 2008. (TS//SV!NF) The records containing credit card numbers received before gan filtering (i.e., records received in October 2006 and before) are stored on back-up tapes. 26 Records contained on back-up tapes are not available to analysts for queries and are not readily available to technical personnel. To destroy the individual records that are on back-up tapes would be an extreme resource and system intensive endeavor and therefore not feasible. It would require reloading the records from the tapes onto servers authorized to process BR metadata, uncompressing the records, converting them to a readable format, identifying those with a field containing a credit card number, and then deleting the records. Then NSA would have to test to confirm that only the records with credit card numbers were deleted, back-up the records again to tape storage and delete them from BR metadata servers. As the back-up tapes are necessary to rebuild the contact chaining database in the event of a catastrophic failure, to destroy the tapes prematurely would put at risk NSA' s ability to recover information important for operations and still allowed under the Court Order. In the event of the need to restore the
I -

BR FISA contact chaining repository, as the credit card numbers contained in those records do not become part of the chain summaries, analysts \Vould still not have

(TS//SI/!NF) These records also are stored in t h - discussed further below, where they were masked to analysts, and in the raw call detail record repositories, where they were accessible only to technical personnel. See Exhibit B, docket number BR 06-12, at 5-7, and Exhibit B, docket number BR 09-09, at 9-10 . .Analysts are not allowed to have the credit card number unmasked. Although these records were used to make chain summaries and stored in the chain summary database, the credit card numbers contained in the records did not become pat-t of the chain summaries.

26

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

117

TOP SECRET//COMINT//NOFORN
access to this information. Based on the above information and that the back-up tapes will be destroyed upon reaching the end of their authorized retention period, NSA considers this information on the back-up tapes secured from user access until their required date of destruction. (TS//SII/NF) The above records containing credit card information are also stored
1ll

It is not feasible to delete individual records

based on the technical architecture of th~thout deleting all data from the beginning ofthe BR FISA orders up to October 2006. The loss of such data would be so operationally detrimental that deletion is not feasible. As described in Exhibit B to the Application in BR 09-09, NSA's current solution to ensure NSA analysts do not have access to this credit card information is masking the data upon retrieval. As NSA reconstitutes the to systems under a supported

architecture, the fields containing credit card information will not be included in the data transfer and will be purged. (TS//SI/ /NF) The one record with a credit card number identified by NSA since October 2006 exists only storage of raw call detail records, known as and on back-up tapes. As noted above, back-up tapes are not available to analysts. Likewise, th--~s not accessible to analysts for queries. This record is not stored in database and was not

used to build a chain summary because it was an incomplete record. In order to delete this single record from thel. . upon first isolating the appropriate file, NSA would have to uncompress the data from the provider's proprietary format, convert the data into a readable format, and move the data to a server that hosts the Data Integrity Analysts'

TOP SECRET//COMINT//NOFORN

31 August

200~

Production

11 8

TOP SECRET//CO:MINT//NOFORN tools to isolate and delete the one record. Removing data on back-up tapes is a difficult process as described above. Based on the above information and that the back-up tapes will be destroyed upon reaching the end of their authorized retention period, NSA considers this information on the ~!ind the back-up tapes secured from user access until their required date of destruction. (TS//SI//NF) In summary, I certify that the overproduced credit card information has been destroyed or secured as noted above, and that the records containing overproduced credit card information still retained by NSA cannot be accessed by an analyst, but as noted above will be destroyed no later than when the records reach the end of their authorized retention period.

V. (U) Conclusion:

(TS//SII/NF) The instances of non-compliance that have been identified in NSA's implementation of the Court's orders in the BR docket stemmed from a basic lack of shared understanding among the key NSA mission, technical, legal and oversight stakeholders concerning the full scope of the BR FISA program. With the remedial steps described above, NSA has taken significant steps to reduce the possibility of future compliance issues. Further, in moving forward, lessons learned as a result ofNSA's review of BR FISA practices will be institutionalized, and we will remain constantly vigilant in ensuring that we are in strict compliance with the Court's orders. Although no corrective measures are infallible, NSA has taken significant steps to reduce the possibility of any future compliance issues and to ensure that the mechanisms are in place to detect and respond quickly if a compliance incident were to occur. Therefore, I am

TOP SECRET//COlVIINT//NOFORN

31 August

200~

Production

11 9

TOP SECRET//COMINT//NOFORN
hopeful the Court will again grai1t NSA regular access to the BR FISA metadata, which I believe is invaluable in helping the Nation detect atl.d thwatt: potential terrorist tr...reats.

(U) I declare under penaity of perjury that the facts set forth above are true and correct.

Lieutenant General, U.S. AJIDy Director, National Security Agency

t{:p;~
. ..,-:-

Executed this _ "1

--1 .,i{

day of__,@=""'-"':hf"~...,;;.,--'-~--' 2009

/J

t1

TOP SECRET//COI'!1LN"T//NOFOR.c"'l
51

31 August 2009 Production

1 20

TOP SECRET//COlvlil'H/INOFORl'\f
1
~-

).

UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE ...COURT _ )----.. f,~t("' 1 I WASHINGTON, D.C. "c< ';

-=--

- -

'~

:.

PH 4=

1--~

IN REAPPLICATION OF THE FEDERAL BUREAU OF INVESTIGATION FOR lill ORDER REQUIRLI\IG THE PRODUCTION

Docket Number: BR 09-09

DECLAF.ATION OF LIEUTENANT GENER.\L KEITH B. ALEXJ..NDERj UNITED STATES AR_1\1Y, DIRECTOR OF THE NATIONAL SECURITY AGENCY

(U) I, Lieutenant General Keith B. Alexander, depose at'l.d state as follows:

(U) I am the Director of the National Security Agency ("NSA" or "Agency"), ar1 intelligence agency within the Department of Defense ("DoD"), and have served in this

position since 2005. I currently hoid the ran.k of Lieutenant General in the United States
/umy and, concurrent with my current assignment as Director of the National Security

Derived From: NSA/CSSM 1-52 Dated: 20070 i 08 Declassii'y On: Source Marked MR TOP SECRET//COMINT//NOFOR.. "N

31 August 2009 Production

1 21

TOP SECRET//COIYliNT//NOFORN Agency, I also serve as the Chief of the Central Security Service and as the Commander of the Joint Functional Component Command for Network Warfare. Prior to my current assignment, I have held other senior supervisory positions as an officer of the United States military, to include service as the Deputy Chief of Staff (DCS, G-2), Headquarters, Department of the Army; Commander of the U.S. Army's Intelligence and Security Command; and the Director ofintelligence, United States Central Command.

(U) As the Director of the National Security Agency, I am responsible for


directing and overseeing all aspects ofNSA's cryptologic mission, which consists of three functions: to engage in signals intelligence ("SIGINT") activities for the U.S. Government, to include support to the Government's computer network attack activities; to conduct activities concerning the security of U.S. national security telecommunications and information systems; and to conduct operations security training for the U.S. Government. Some of the information NSA acquires as part of its SIGWT mission is collected pursuant to Orders issued under the Foreign Intelligence Surveillance Act of 1978, as amended ("FISA").

(U) The statements herein are based upon my personal knowledge, information
provided to me by my subordinates in the course of my official duties, advice of counsel, and conclusions reached in accordance therewith.

(U) L Intmduction
(TS//SI//NF) Pursuant to a series of Orders issued by the Foreign Intelligence Surveillance Court ("FISC" or "Court") beginning in May 2006, NSA has been receiving

TOP SECRET//COMINT//NOFORN

31 August 2009 Production

122

TOP SECRET//CO:tvliNT//NOFORN

and analyzing certain call detail records or telephony metadata 1 from telecommunications providers. NSA refers to the Orders collectively as the "'Business Records Order" or "BR FISA." The telephony metadata NSA receives via the BR FISA has enabled it in the past to discover unknown persons in the United States and abroad affiliated with and

and unknown persons in the United States and abroad affiliated w i t their communications, and act upon and disseminate such information to support the efforts ofthe United States Government, including the Federal Bureau of Investigation (FBI), to detect and prevent terrorist acts against the United States and U.S. interests. Continued receipt of the telephony metadata is advantageous to NSA' s ability to continue its efforts to discover such terrorist organizations and their communications, in order to assist the FBI in detecting, investigating and preventing terrorist acts against the United States. Accordingly, tlus declaration is intended to provide the Court with my assessment of the value that the BR FISA metadata provides to the. NSA and the FBI with respect to the Government's national security responsibilities for the detection, investigation, and prevention of terrorist activities by

(S) "Call detail records," or "telephony metadata," include comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, international Mobile Subscriber Identity (IMSI) numbers, International Mobile station Equipment Identity (IMEI) numbers, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. A "trunk" is a communication line between two switching systems. Newton's Telecom Dictionary 9 51 (24th ed. 2008). Telephony metadata does not include the substantive content of any communication or the name, address, or financial information of a subscriber or customer.

3
TOP SECRET//COMINT/;NOFORN

31 August 2009 Production

1 23

TOP SECRET//CO:MINT//NOFORN , the "Foreign Powers").

(TS)

H. Value of BR FISA Metadata


(TS//SI//NF) The BR FISA provides access to bulk call detail records which

primarily include records of telephone calls that either have one end in the United States or are purely domestic. This collection of information is not available to NSA through its other authorized foreign intelligence information collections. This data has value to NSA analysts tasked with identifying potential threats to the U.S. homeland and U.S. interests abroad by enhancing their ability to identify, prioritize, and track terrorist operatives and their support networks both in the U.S. and abroad. By applying the Court-ordered "reasonable, articulable suspicion" or "RAS" standard to telephone identifiers 3 used to query the BR FISA rnetadata, NSA analysts are able to: (i) detect domestic identifiers calling foreign identifiers associated with one of the Foreign Powers and discover who the foreign identifiers are in contact with; (ii) detect foreign identifiers associated with a Foreign Power calling into the United States and discover which
(TS//Sl!/NF) For example, NSA obtains foreign intelligence information from its collection ofoverseas communications (SIGINT collection) authorized by Executive Order (EO) 12333, traditional Courtauthorized electronic surveillance pursuant to Titles I and III of FISA, Pen Register and Trap and Trace surveillance authorized pursuant to Title rv ofFISA, and, more recently, the targeting ofnon-United States persons reasonably believed to be located overseas pursuant to Section 702 of the FISA Amendments Act of 2008 (FAA). None of these authorities would allow NSA to replicate, or appropriately analyze, the call detail records it receives pursuant to the BR FlSA.
3

(TS//Sl//NF) In the context of this Declaration, the term "identifier" means a telephone number, as that term is commonly understood and used, as well as other unique identifiers associated with a particular user or telecommunications device for purposes of billing and/or routing communications, such as International Mobile Subscriber Identity (IMSI) numbers, International Mobile station Equipment Identity (IMEI) numbers, and calling card numbers.

TOP SECRET//COMINT/iNOFORN

31 August 2009 Production

1 24

TOP SECRET//COMINT//NOFORN domestic identifiers are in contact with the foreign identifiers; and (iii) detect possible terrorist-related communications occurring between communicants located inside the United States. (TS//SI//NF) Although NSA possesses a number of sources of information that can each be used to provide separate and independent indications of potential terrorist activity against the United States and its interests abroad, the best analysis occurs when NSA analysts can consider the information obtained from each of those sources together to compile and disseminate to the FBI as complete a picture as possible of a potential terrorist threat. Although BR FISA rnetadata is not the sole source available to NSA counterterrorism personnel, it provides a key component of the information NSA analysts rely upon to execute this threat identification and characterization role.

(S)

A. The Value of BR FISA Metadata: Contact-Chaining


(TS//SI//NF) The primary advantage ofmetadata analysis as applied to telephony

metadata is that it enables the Government to analyze past connections and patterns of communication. The ability to accumulate metadata substantially increases NSA's ability to detect and identify persons affiliated with the Foreign Powers. Specifically, the NSA performs queries on the metadata: contact-chaining

(TS//SI//NF) W11en the NSA performs a contact-chaining query on a terroristassociated telephone identifier the fu_rther contacts made by that first tier of contacts. In addition, the same process can be used to identify additional tiers of
5

TOP SECRET//COMThlT/iNOFORN

31 August 2009 Production

125

TOP SECRET//COMJNT/!NOFORN contacts, out to a maximum of three "hops" from the original identifier, as authorized by the Business Records Order. The collected metadata thus holds contact information that can be immediately accessed as new terrorist-associated telephone identifiers are identified. Multi-tiered contact chaining identifies not only the terrorist's direct associates but also indirect associates, and, therefore provides a more complete picture of those who associate with terrorists and/or are engaged in terrorist activities. (TS//SIIINF) One advantage of the metadata collected in this matter is that it is historical in nature, reflecting contact activity from the past that cannot be captured in the present or prospectively. To the extent that historical connections are important to understanding a newly-identified target, metadata may contain links that are unique, pointing to potential targets that may otherwise be missed.

TOP SECRBT//COJ\1INT/!NOFORN

31 August 2009 Production

126

TOP SECRET//COMINT/INOFORN

(TS//SINF) In sum, the BR FISA metadata analysis enriches the NSA analysts' understanding of the communications tradecraft of terrorist operatives who may be preparing to conduct attacks against the U.S. Terrorist operatives often take affirmative and intentional steps to disguise and obscure their communications. They do this by using a variety oftactics,l

7
TOP SECRET//COI'vfiNT/;NOFORN

31 August 2009 Production

127

TOP SECRET//COMINT/!NOFORN

(TS)

B. Filling the Gaps: BR FISA Metadata in the Context of Other Collections


(TS/ /Sli/NF) The BR FISA metadata complements information NSA collects via

other means and is a valuable, if not the only, means available to NSA for linking possible terrorist-related telephone communications that occur between communicants based solely inside the U.S. NSA analysts use the combination of telephony metadata and communications content collected pursuant to EO 12333 and/or Court-authorized electronic surveillance in concert with BR FISA metadata to develop an accurate characterization of individual/network activity; potentially derive the intent of the individual(s) or network; and learn of new terrorist networks or cells working inside the U.S. NSA's access to the BR FISA metadata improves the likelihood of the Government being able to detect terrorist cell contacts within the U.S. (TS//Sl!/NF) NSA's traditional SIGINT collection, which focuses strictly on the foreign end of commUnications, provides limited signals-related infom1ation available to aid analysts in identifying possible terrorist cmmections emanating from or within the U.S. Collection authorized by Section 702 of the FAA is limited to the targeting of nonUnited States persons located overseas and does not provide NSA with information sufficient to support contact 'tional Court-authorized

electronic surveillance does not make available the full extent of metadata resident with the service providers and provided through the BR FISA. With the metadata provided by BR FISA, NSA has the information necessary to perform call chaining - T h i s analysis enables NSA to obtain a fuller understanding of the target and provide FBI with a more complete picture of possible terrorist-related activity occurring inside the U.S.

8
TOP SECRET//COM1NT//NOFORN

31 August 2009 Production

1 28

TOP SECRET//COMINT/!NOFORN

(TS//SIIINF) The value of the BR FISA is not hypothetical. Additional detail available in call data records (CDRs) allows NSA to recognize that a communicant is based in the U.S., a detail often absent i~ traditional SIGINT collection. Unlike traditional SIGINT collection, BR FISA CDRs include the calling party number in a call that originates from the United States. From telecommunications provider's perspective, only the called number is necessary to complete a call. The originating, or calling, number is not required and, as unnecessary data, is often removed or manipulated by the U.S. telecommunications provider before leaving the U.S en route to an overseas provider. If the calling party information is present, it can be used by other telecommunication providers to understand macro traffic statistics and identify i...mportant business opportunities. For this reason, U.S.-origin calls collected overseas often lack a valid U.S. calling party number, making it difficult or impossible to identify that a particular call originated in the U.S. (TS//SII/NF) In illustration, prior to the attacks of 9111, NSA intercepted via its overseas SIGINT collection and transcribed seven (7) calls made by hijacker Khalid alMihdhar, then living in San Diego, California, to a telephone identifier associated with an al Qaeda safe house in Yemen. However, the NSA SIGINT intercept was collected through an access point overseas and the calling party identifier was not available because it had not been tra.Iismitted with the call. Lacking this U.S. phone identifier and having nothing in the content of the calls to suggest that al-Mihdhar was actually inside the United States, NSA analysts concluded that al-Mihdhar remained overseas when, in fact, he was in San Diego. The BR FISA metadata addresses the information gap that existed at the time of the al-Mihdhar case. It potentially allows NSA to note these types
9
\<

TOP SECRET//COMINT/fl"'-JOFORN

31 August 2009 Production

129

TOP SECRET//CO:MINT/!NOFORN of suspicious contacts and, when appropriate, to tip them to the FBI for follow-on analysis or action.

(TS//SV!NF) Once an identifier has been detected, NSA can use BR FISA metadata along with other data sources to quickly identify the larger network and possible co-conspirators both inside and outside the U.S. for further investigation by the FBI with the goal of preventing future attacks. One recent example ofBR FISA's contribution to characterizing a network of interest was the investigation referred to within NSA and FBI

(TS//SV!NF) NSA's involvement

in January 2009. NSA

analysts were following a foreign-based e-mail identifier associated with an al Qaeda facilitation cell in Yemen, an activity of significance due to U.S. Government concern with Yemen's potential to serve as an al Qaeda safe haven. This particular e-mail identifier was tasked under FAA authorities while numerous other network identifiers were monitored through EO 12333 authorities.

lupon verification, NSA as permitted by the Court-approved minimization procedures for NSA' s FAA collection, informed the FBI of the U.S.location of the identifiers. Upon receipt of

10 TOP SECRET//CO:tvilNT//NOFORN

31 August 2009 Production

130

TOP SECRETI/COMJNT//NOFORN the NSA information, the FBI initiated a full field investigation and sought its own FISA coverage on the newly-discovered domestic links. (TS//SI/INF) NSA used the BR FISA metadata to aid the FBI investigation by adding critical insight into the network's functions and intent. Analysis ofthe BR FISA metadata demonstrated foreign contacts within the suspected network stretching from Kansas City to New York, the United Arab Emirates, Yemen and Denmark. Vfhile BR FISA did not discover the person of interest in Kansas City, the telephony metadata was able to confirm suspicions that the FBI already had about him. It confirmed the target's outbound contacts with other members of the network and provided a better understanding of the network. This characterization would not have happened Virithout leveraging both the BR FISA metadata and the FAA access in conjunction with FBI's investigation. (TS//SII/NF) As in1portant resource forinvestigating threat leads obtained from other SIGINT collection or partner agencies. This is especially true for the NSA-FBI partnership. The BR FISA metadata enables NSA analysts to evaluate potential threats that it receives from or reports to the FBI in a more complete manner than if this data.source was unavailable. Even the absence of terrorist-related contacts in the BR FISA metadata can be valuable, because such "negative reporting" helps to assess the credibility of a prospective threat. (TS//SII!NF) A final benefit of the way in which BR FISA metadata complements other countertenorist-related collection sources is by serving as a significant enabler for NSA intelligence analysis. It assists NSA in applying limited linguistic resources
11

TOP SECRET//COMINT//1\fOFORN

31 August 2009 Production

131

TOP SECRET//COMINT//NOFORN available to the counterterrorism problem against links that have the highest probability of connection to terrorist targets. Put another way, analysis of the BR FISA metadata can help NSA prioritize for content analysis communications which it acquires under other authorities. assists in identifying terrorist communications of

interest, content exploitation is required to achieve a full understanding and characterization of the associations between the telephony identifiers at!d users. Additionally, content is critical to deriving intent of the individuals and associated networks. BR FISA metadata is an important piece for steering and applying content analysis so the U.S. Government can gain the best possible understanding of terrorist target actions and intentions.

(U)

C. Statistics/Additional Examples (TS//SI//NF) The foregoing discussion is not hypothetical. As noted on page seven

ofNSA's end-to-end report on the Agency's implementation of the Business Records Order, between inception of the first Business Records Order in May 2006, and May 2009, NSA issued 277 5 BR FISA-based reports to FBI and, if appropriate, to .other NSA customers. These reports tipped to the FBI roughly 2,900 identifiers that were noted to be in contact with identifiers associated with

(TS//SI//NF) The number of reports included in my Declaration of 13 February 2009 was 275. This was based upon information gathered on 6 February 2009. Further review has taken into account the fact that an additional report was issued after 6 February, but before 13 February. Some of these reports had been cancelled for various reasons and some of the cancelled reports were reissued with corrections. Therefore, the correct number of unique reports as of the 13 February 2009 declaration should have been 274. My Declaration also stated that there were 2,549 selectors tipped in these reports. The actual number of selectors tipped in the 274 reports is 2,888.

12 TOP SECRET//COMINT//NOFORN

31 August 2009 Production

132

TOP SECRET//COMWT/!NOFORN (TS//SV/NF) A recent illustration of the use of the BR FISA metadata can be found in the evaluation of telephony contacts associated

13

TOP SECRET//COMINT/!NOFORN

31 August 2009 Production

133

TOP SECRET//CO:MINT//NOFORN

(TS//SI/INF) In an even more recent example, on 2 June 2009 NSA received a request for information from the FBI pertaining to leads associated with

NSA conducted initial research on the identifiers provided by the FBI in EO 12333 metadata and subsequently sought approval from the FISC to query the identifiers against

BR FISA metadata, a significant number of those leads would have remained

undiscovered and NSA's ability to evaluate degraded. 14

.S. contacts would have been

TOP SECRET//COMINT/iNOFORN

31 August 2009 Production

134

TOP SECRET//COivfiNT//NOFORN (U)


IV. Conch:u.s]on

(TS//SVINF) In conclusion, while all metadata analysis is essential in the fight against terrorism, the BR FISA metadata provides NSA with additional information readily available through the providers, but which would be otherwise unavailable to NSA The BR FISA metadata complements and enriches NSA analysts' understanding of the target and provides the capability to detect domestic identifiers calling foreign terrorist identifiers abroad; foreign terrorist-associated targets calling into the United States; and possible terrorist-related communications occurring between communicants solely in the U.S. That the BR FISA metadata is generating what may be perceived as little foreign intelligence in comparison with the volume of the data collected does not discount its value to NSA's analysis of potential terrorist threats to the U.S. and to NSA's ability to provide security for the nation. NSA's access to the BR FISA metadata addresses a key gap in the Intelligence Community's ability to connect foreign and domestic threat-related information and tip this information for appropriate follow-up investigation.

15 TOP.SECRET//COIV[INT//NOFORN

31 August 2009 Production

TOP SECRET//COMWT//NOFORN

(U) I declare under penalty of perjury that the facts set forth above are true and
correct.

Lieutenant General, U.S. Army Director, National Security Agency

Executed this

3' ,u

day of

!?.t.rf= ,

2009

16
TOP SECRET//COMINT//NOFORN

31 August 2009 Production

136

TOP SECRET/ /COMD'lT/ /NOFO?-..J.~/ /FISA ' ' c~


~ ; . . '~ . ;._:

'

..

-.

~-'

-'

l.Tt'f1TED STATES

..- : ..; c L-L:.:._:

'~

~ , ......,

--;

:_ '- ; \ l

FOREIGN INTELLIGENCE STJKVEILLA1<CE COlTRT WASHINGTON, D.C.

IN RE }LPPLICATION OF THE FEDEAAL BUREAU OF IJ.rVESTIGATION FOR /u''-i ORDER REQulRING TB""E PRODUCTION GIBLE Tlil.NGS

Docket No.: BR 09-09

P..FflDAVE OF ROBERT S. MUELLER, III

I, RobertS. Mueller, III, hereby affl.rm tt'-le foliov. iug:

ClJ) I am the Director of th-e F ed.eral Bureau oflnve.stigation (FBI), 1J:tlited States

Depct.!"i:.:.nent of Justice (DOJ), a c-omponent of a..TJ. Executive Depanrnent of tbe United

De~ived

From: Multicle Sources Declassify On: 20340810

T'O.P SECRET/ /COI.Ul'i-T/ /NOFOR:N/ /FIS.J>..

31 August 2009 Production

TOP

SECRET//COMINT//NOFOR-~//FISA

States GoverP.ment (USG). I am responsible for, among other tbi.ngs, the national security operations of the FBI, u1cluding the FBI's Counterterrorism Division (CTD).
(U) The matters stated herein are based upon my persona} knowledge, my review

a..Tld consideration of documents and information available to me in my official capacity, inf01mation fumished by the National Security Agency (NSA) and information furnished by Special Agents and other employees of the FBI.

(U) Purpose of the Affidavit


(S//N.b) This affidavit is submitted i.n. response to the Court's Orders dated March

2, March 5, May 29, and July 9, 2009 (Orders). It describes the FBI's assessment of the value of the Business Records FISA (BR FISA) metad.ata to FBI national security investigations and, more broadly, to the national security of the United States.

(U) Relevance to Authorized Investi2ations


(S//N-r)

un.,.lmown persons in

the United States and abroad affiliated with are the subject of numerous FBI predicated investigations being conducted under guidelines approved by the Attorney General pursua.J.1t to Executive Order 12333, as amended. As of August 10, 2009, the FBI had approximately~ open predicated tarcretincr investiationsi b .0

(U) Predicated investigations are either full i11Vestigations or preliminary L.1.vestigations. A fu1l investigation may be i...nitiated ifthere is an a.t-ticulable factual basis for the investigation that reasonably -indicates, inter alia, that a !P..reat to the national security has or may have occurred, is or may be occurr'mg, or v-vill or may occur and the investigation may obtain infofiTl.ation relating to the activity or the involvement or role of at"l individual, group, or organization in such activity. A preliwinary investigation may be initiated on the basis of infonnation or an allegation

TOP

SECRET//COMINT//NOFOfu~//FISA

31 August 2009 Production

1~Q

TOP SECRET//COMINT//NOFORN//FISA

"t:.,s of August 10, 2009, the FBI v,ras conducting approximately associated with

IIIII predicated investigations of individuals believed to be


under

guidelines the Attorney General has approved pursuant to Executive Order 12333, as amended. (TS/SV/l'W) The National Security Agency (NSA) has issued and is expected to continue to issue to the FBI BR FISA metadata "tippers" regarding telephone numbers that are associated wi

are

targets of FBI investigations. The tippers provide information regarding contacts between these foreign telephone numbers and domestic telephone numbers. NSA identifies the assessed users of the foreign telephone numbers, the dates of contact betvveen the foreign telephone nu...rnbers ruJ.d the domestic telephone numbers, and 3.L"'1Y additional infonnation, e.g., foreign telephone number's country of origin, domestic telephone number's city and state, etc., that NSA may have regarding the telephone numbers.

(S//SI) FBI Processin2: of BR FISA Metadata Reports


(S/!N.t<) FBI employees from the Counterterrorism Divis.ion's (CTD) Cow..mu...11ications .A.J.1alysis Un.it (CAD) are detailed full-time to the NSA's Homeland

h.11dicating, inter alia, that a threat to the national security has or may have occurred, is or may be occu...-rri.ng, or will or rnay occur and t.tl;.e LTlvestigation may obtain information relating to the activity or the D.1volvement or role of &"1 i__ndividual, group, or organization in such activity.

TOP SECRET/ /COMI:N"T/ /NOFOR...""l'/./FISA

31 August 2009 Production

139

TOP

SECRET//COMI~~//NOFORN//FISA

Security Analysis Center C:I-{SAC). These detailees, known as "Team 10," consist of a Supervisory Special Agent and several Intelligence Analysts. Team lO's chief responsibility is to identify and initially process domestic information contained in reports disseminated to the FBI from HSAC. 2 Upon receiving an HSAC report, Team 10 queries FBI databases to determ.it1e whether the FBI already has information about any of the domestic facilities contained in the report. Team l 0 then trcw.J.Smits the NSA information together with additional analysis based on lli"lY il1fom1ation already known to the FBI to the appropriate FBI field offices. Team l 0 also recommends subsequent investigation to t.he field office.

(S//SI) Value of BR FISA Memdata to FBI Investi2ations


(TS/ /Sli!NT) The FBI derives value from the BR FISA metadata primarily in two ways. First, BR FISA metadata provides information that .assists the FBI in detecting, preventing, and protecting against terrorist frueats
tD

the national security of the United

States by providing the predication to open investigations, advance pending investigations, and revitalize stalled investigations. Second, metadata obtained via the BR FISA can provide -warning signals that alert the FBI to individuals who are inside the United States and are li.rLk.ed to persons who pose a threat to the national security.

(S//Sf) I. BR FISA Metadata as Additional Information


(S//SI) The FBI is authorized, inrer alia, to collect intelligence and to conduct investigations to detect, obtain infom1ation about, and prevent a...nd protect against

(S/1Nt) HSAC reports include BR FISA metadata "tippers."

TOP SECRET/ /CO!HNI'//NOFORN//FISA

31 August 2009 Production

1 .1n

TOP SECRE'T//COMINT//NOFORN//F'ISll.
terrorist trueats to national security. The more hiformation the FBI has regardli1g such threats to the national security, the more likely it will be able to prevent and protect agah""lst those tlneats. The BR FISA metadata program is a source of information that the FBI uses in its mission to detect, prevent, and protect against terrorist threats to national security. The oft-used metaphor is that the FBI is responsible for "connecting the dots" to form a picture of the threats to national security. BR FISA metadata provides additional "dots" that the FBI uses to ascertain the nature and extent of domestic threats to the national security. (S//SI) In certain circumstances, the FBI may already have an investigative i..nterest in a particular domestic telephone number prior to receipt of a BR FISA metadata tipper containing that domestic telephone number. Nevertheless, the tipper may be valuable if it provides new information regardii1.g the domestic telephone number that revitalizes the investigation or othenvise allows the FBI to focus its resources more efficiently and effectively. (S//SI) The FBI has received BR FISA metadata tippers contai.J.J.i.ng i..11formation not previously known to the FBI about domestic telephone numbers utilized by targets of pending preliwin2w.)' investigations. The information from the BR FISA metadata tippers has. provided articulable factual bases to believe that the subjects posed a threat to the national security such that the preliwinar; investigations could be converted to full investigations, which, hi tum, led t.h.e FBI to focus resources on those targets. The FBI has also re-opened previously closed investigations based on information contained in
3

(U) Because there is greater predication for a full :investigation (an articulable factilal basis to believe the subject poses a threat to the national sec\li-ity) than for a prelirni.J.l.ai)' investigation (information or allegation that the subject is or may be a threat to the national security), the FBI tends to focus more resources on full i.tl.vestigations than prelirnitl.ary investigations.

TOP

SECRET//COMI~~//NOFO~~//FISA

31 August 2009 Production

1 4.1

TOP SECRET//COMINT//NOFORN//FISA

BR FlSA metadata tippers. In those instfuJ.ces, the FBI had previously exhausted all leads and concluded that no Wilier investigation was warranted. The new information from the BR FISA metadata tippers was significail.t enough to warrant the re-opening of the investigations.
(S//hi'F) Provided below are two examples of investigations

were re-opened because of new illfonnation provided by a BR FISA metadata tipper.

(S//SI) II. BR FISA Metadata Analysis as an "Early Warning Systemj' (S//SI) The earlier the FBI obtai..D.s information about a threat to national security, the more likely it will be able to prevent a.nd protect against those threats. The BR FISA metadata program sometit-nes provides information earlier than the FBI's other investigative methods and techniques. To use the oft-used metaphor, BR FISA metadata sometitues provides "dots" that the FBI may not otherwise have uncovered until much later in its investigation. In those instances, the BR FISA metad.ata program acts as an "early wrulling system" of potential threats agaiL1st national secUJ.-ity. (S//SI) ln certain circumstances, the FBI may receive a BR FISA metadata tipper containing infom1ation regarding a domestic telephone number t.hat the FBI D.1evitably -would have discovered via other investigative teclwiques. Nevertheless, that tipper is valuable because it provides information earlier than the FBI would otherv;rise have obtained it. Earlier receipt oft.'1e infom1ation may advance the investigation and could contribute to the FBI preventing or protecting against a threat to national secUJ.-ity that, absent the BR FISA metadata tipper, the FBI could not.

TOP SECRET/ /CO!Hh"T/ /NOFORN/ /FISA

31 August 2009 Production

142

TOP

SECRET//COMI~~//NOFO&~//FISA

(S//SI) The FBI has also received BR FlSA metadata tippers regarding domestic telephone numbers in which the FBI had little or no prior investigative iLJ.terest at the time the tipper was received. In those instances, the FBI opened either a preliminary or a full investigation of the user of the domestic telephone number. Here again, although the FBI may have inevitably developed an investigative i.il.terest iL1 these domestic telephone numbers, it is impossible to say when that would have occurred or 1-vhet..her it would have occu__rred too late to prevent or protect against a terrorist attack. (S//SI) Provided below are two examples of preliminary in '-'"'',"'"'""'-' were conm1enced based upon BR FISA metadata tippers. In both cases, the investigations were eventually converted to full investigations based on information developed by the FBI, thus demonstrating the value of the BR FISA metadata i.nfom1ation.

(U) HI. Statistical Information Pertaining to Full Investigations

(TS//SI/;NF) One method of quantifying the value of the BR FISA metadata to the FBI's efforts to protect the nation's security is t.1e number of predicated full investigations that the FBI has opened or supported using BR FISA me.tadata provided by the NSA. Full investigations opened based on BR FISA metadata tippers illustrate the value of the BR FISA metadata in assisting the FBI to identify previously u.nknovm coilllections bervveen persons in the United States and . Siwilarly,
4

(S/!NF) Full iiwestigations are typically more significant and fruitful than preliminary investigations. I will, therefore, ii.mit the information discussed in this affidavit to full investigations that were predicated, in whole or part, or assisted by BR FISA metadata.

TOP

SECRET//COMI~~//NOFORN//FISA

31 August 2009 Production

TOP SECRET//COMINT//NOFORN//FISA
~

the number of preliminary investigations converted to full investigations illustrates the importance of the BR FISA metadata in assisting the FBI to develop suspected connections between persons in the United States and

(S//NF) Below is a chart contai.cling statistical information pertai.r1i..11.g to


investigations that were opened as full investigations or converted from preliminary investigations to full i.TJ.vestigati.ons based, at least in part, on information from BR FISA metadata since the Court flrst authorized the BR FISA order in 2006 through 2008. These statistics show that the BR FISA metadata's contribution to FBI i.TJvestigations is not insignificant. This chart includes (1) the total number of full investigations that are predicated, at least in part, on BR FISA metadata; 5 (2) the number of Intelligence Inionnation Reports (IIRs) issued to foreign partners from these full investigations; ru.1d (3) t.he number ofiiRs issued to other U.S. government agencies from these full investigations.

(S/f.N.!:<) The FBI's statistics inclulie i.nvestigations that were (1) opened as full investigations based, at least in pa1t, on BR FISA metadata, and (2) preliminary irlVestigations that were converted to full investigations based, at least it1 part, on BR FISA metadata. These statistics are limited to investigations that are COil!.!ected directly to BR FISA mer.adata tippers. BR FISA metadata tippers have also indirectly contributed to the predication for other investigations. For example, information obtained duri_Tlg the full investigation o~ discussed below, led the FBI to open preliminary investigations of others suspected of engaging in similar activities. This affidavit is liroited to investigations based directly, at 1east in par~., on BR FISA metadata.

TOP

SECRET//COMINT//NOFO~~//FISA

31 August 2009 Production

TOP

SECRET//COMI~~//NOFORN//FISA

I I

I
2006 2007 2008 \ Total

Full Investigations Opened/Prelimina.t)' Investigations Converted to Full Investigations

I Intelligence
I I I
i

I Information Reports
(IIRs) Issued to Foreign Partners
l

j
1

IIRs issued to Other U.S. Government Agencies

I 13
1

1
6

\3

19
15

16
\24

!8 I

135

127

j31

\46

(S//SI) During the 27 full investigations that were based, at least iL1 part, on BR FISA metadata tippers, the FBI has found and identified knmvn and unki10"Wi1 members or agents and those in communication with them. The i.J.t.formation NSA has tipped to the FBI has also permitted FBI to acquire additional information about such individuals and their activities, includmg criroinal activities in support of international terrorism.

(VI

rv.

Specific Examples of Noteworthv Full Investigations

(S//SI) To iUustrate the value of the BR FISA metadata program to the FBI, four (4) full investigations that were predicated, at least in_ part, on BR FISA metadata tippers

are suj]J_J_-nari_zed below.

= (S//Nr) Because cerl2.in IIRs were issued to multiple cou._'l.tries, t_he FBI issued a total of 51 ITRs to foreign partners.

TOP

SECRET//COMINT//NOFO~~//FISA

0 -'

31 August 2009 Production

TOP SECRET//COMINT//NOFORN//FISA

(S) A

FBI opened a preliroinary investigation of a U.S. person, based on an 3J.J.onymous letter aileging that he and eight others had ties to the Muslim extremist organizatio~ pursuing all available leads, the FBI closed the prel.i:mir"ary investigation on show
, i_n

because it had not developed any evidence tending to fact, affiliated wi~ , the FBI received an intelligence

(TS//SV/OC//N""F) On or

report from the NSA that included information and contact chaining analysis conducted on data obtained throug..h the BR FISA order ("metadata report"). The metadata report established a - connection bet-ween a - tel.ephone known to be used by a--based extremist with ties to

an urilisted

telephone number. 7 The

F B I ' s - Division opened a prelimi11ary il.J.vestigation of the unlrnovm user ofthe telephone number based upon the information contained in the metadata report
as

and information contained h1 FBI's databases that telephone number linked t o - other pending FBI irwestigations. 8

'-"-l.HU"-1

telephone was in contact wiib tC,1'-'tJJ.RJ!l'-' was in COntact Wit.h

TOP SECRET//COMINT//NOFORN//FISA

10

31 August 2009 Production

TOP

SECRET//COMIN~//NOFORN//FISA

(TS//SIJREL TO USA, AUS, C/ul\f, GBR, NZL) On or about d u r i . . n g - preliminary investigation, the FBI received L.nformation from the NSA indicating that someone named had stated using

the-

telephone number

At the time,

linked to the

(S) On or about
of telephone number

identified by the FBI as a user Based on that identification, the fact

was formerly the subject of ~preliminary investigation, and the phonetic si.mila.J.-ity between name and the name

Division converted the preliminary investigation of the unknown user o i.J.1to a full investigation o

(TS/ /SI) During the ful.l investigation, the FBI obtai.J.J.ed authorization from this CmL.rt to conduct electronic surveillance of Court-authorized e}ectronic surveillance of tinely discussed

Also t.hiough this investigation, the FBI has identified other individuals in the United States who are believed to be involved in

TOP

SECRET//COMINT//NOFOP~~//FISA

ll

31 August 2009 Production

TOP

SECRET//COMINT//NOFOR-~//FISA

f o r - . full investigations have been opened as a result of information obtained through the and means that these individuals use to suspected use of The FBI has also identified certain methods including the

(S//OC/fN.'?) The FBI is working with the Department of Justice, National Securit-y Division, and the United States Attorney's Office,

-toi.tJ.dict

criminal charges that include, but are not limited to,.

(S) B.

the FBI opened a full investigation of

and were connected t o - On or

the FBI closed this

investigation (t..he ~investigation) after pursuing all available leads because the U.S. Attorney's Office, additional evidence could be obtained. (TS//OCI!Nr) On or the FBI received a BR FlSA was reluctant to proceed unless

metadata report from the NSA that included information and contl'lct chaining analysis

TOP

SECRET//COMI~~//NOFORN//FISA

12

31 August 2009 Production

148

TOP
indicating that

SECRET//COMINT//NOFO~~//FISA

each been in contact with several cellular telephone numbers in were believed to be used b y - 11 The numbers -were, in tllm, in contact with associated with bv -'
12

-that cellular telephone

telephone numbers believed to be which are owned

L-1 addition, the BR FISA metadata report stated that a -

telephone number, repmiedly registered had also been in contact with tV'iO ofthe aforementioned- telephone numbers.
(S//Nt) Based upon the information obtained in the~ investigation,

information obtained from another i11.vestigation that had been conducted fromllll
14

and on the iP.iormation provided by the BR FISA metadata

report, the FBI re-opened the full terrorism investigation of

(S//OC//I:.J.t) Since re-opening the investigation i1--, the FBI has received

reports from VB.:Lious sources, connected to and

(S) The FBI subsequently confl_l!ned via an NSL that of two of t h e - telephone numbers.
;

According to U.S. Intelligence Co:ffi.L-nunit:.v reporting, that is responsible for directi_ng and supporting
(S) the FBI re-opened the full investigation of lli>onymous letter alleging that they supported-. The e-vidence, and closed the investigation again in

TOP

SECRET//COMIN~//NOFORN//FISA

13

31 August 2009 Production

149

TOP SECRET//COMINT//NOFORN//FISA

(S) The FBI continues to investigate The FBI recently obtained rene\ved FISC authority to conduct electronic ephone and e-mail accolh'1ts, as well

surveillance and physical searches o as The FBI's investigation of

ongomg.

(S) C. (TS/lSI/lOCI fN""F) On or about the FBI received a BR FISA

metadata report from the NSA that included information and contact chaining analysis indicatu1g that associates of

telephone numbers. 16

According to the NSA's BR FISA metadata report, two of the one

foreign telephone numbers that were in contact with

cellular number and o n e - cellular number, were also in contact with U.S. telephone iill Internet search of the FBI revealed

the apparent subscriber of the telephone number. Furthermore, toll billing records obtained via NSL's in connection \vith oth.er FBI LJ.vestigations revealed by the FBI in been in contact

Vvi.th telephone nu_rnbers associated with four other pending counterterrorism investigations. That information, in conjunction '"ith the information obtained from the

maintai..ns ties to more

an organization designated by the Interagency LJ.telligence


as a tier l support entity t o reports regarding his acti-vities from both the

TOP SECRET/ /COHIJ:.t""'T/ /NOFOR.~/ /FISA

14

31 August 2009 Production

150

TOP

SECRET//COMI~~//NOFO~~//F!SA

BR FISA metadata program, formed the basis for the FBI's decision to open a preliminary investigation The prelimina..ry investigation was opened on

(S//OC/fr...Tf) During the preliminary investigation, the FBI learned that board member of

On or about been designated


a senior member o - and

reported to the FBI a poLJ.t-of-contact for donated

Based on t.lis additional information, o n - , the FBI converted the preliminary investigation of
a full investigation.

(SI!NF) The FBI has obtained il1formation about several ti..nancial transactions that

suggests

is providing material support to a foreign terrorist organization. On to in-

According to the CIA, as well.as the

was a member o f . In addition, in-on The CIA has reported -to

is believed to be a member of~ Fh1ally,

TOP

SECRET//COMI~~//NOFO~~//FISA

15

31 August 2009 Production

TOP SECRET//COMINT//NOFORN//FISA
ill

on

. According to the

former senior member of~


(S//Nr) Although these known money transfers

and and

are not particularly large, they do show connections betvveen members and former members o f . . These co1mections are troubling in light of significant account activity that occurred o~. On that date, made deposits to his check.i11g account o - a n d - iil.cluding- in foreign currency. also transferred-a a~ank. named

This transfer is

and analyze responses to eleven national security letters that were served duru1gllll

IIIII

The FBI is also investigating t h e - bank account that received- from

(S) D. (TS//SLI/OC//.l\1F) On or about the FBI received a BR FISA

metadata report from the NSA that included ir.Jorrnation a..n.d contact chai.nitl.g analysis

TOP

SECRET//COMINT//NOFO~~//FISA

16

31 August 2009 Production

152

TOP SECRET/ /COMINT/ /NOFOR..l'l"/ /FISA

indicating that a~ellular telephone number used by several extremists associated with the numbers, inducting had been in contact with several U.S. telephone cellular number The FBI's

database contained information from another investigation indicating t'J.at the subscriber of t h e - telephone number was Based on t.h.e infonnation

contained in the BR FISA metadata report, the~ivision was instructed by FBI HQ to conduct a threat assessment ofthe user of the ostensibly

(S//Nr//OC) Th-Division subsequently received information from a

that on or about

had been killed

Based on the BR FISA metadata, the information identifyi...ng the subscriber of the-telephone number, the F B I ' - Division opened a full investigation o alleged association w i t h been reported killed, the FBI elected to investigate, inter alia, \vhether the report of was accurate and whether others traveled

overseas and took part Ll1 terrorist training -v;.,ith bim i n -

(tJ) Condu.sion

(TS//SI) Tne facts set forb.'l. above demonstrate that the BR FISA metadata has historically proved to be a valuable source of intelligence to the FBI. Its historic value leads me to conclude that the BR FISA metada:-t.a will continue to be a valuable source of

TOP SECRET//COMI~~//NOFORN//FISA

17

31 August 2009 Production

15

TOP SECRET//COMINT//NOFORN//FISA
intelligence that is relevant to numerous FBI-authorized international terrorism i.t1.vestigations. Accordingly, I hereby certify that the BR FISA metadata is relev&.'1t to an authorized investigation (other than a threat assessment) to obtai.t1. foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine inteiligence activities, and that such investigation of a U.S. person is not conducted solely on the basis of acti,ities protected by the First Amendment.

(U) Pursuant to 28 U.S.C. 1746, I declare under penalty of perjury that the

foregomg is true and correct.

ROBERTS. MUELLfR III Director Federal Bureau of Investigation

&bL~

TOP SECRET//COMINT//NOFORN//FISA

18

31 August 2009 Production

Business Records FISA NSA.Review


25 June 2009

Prep,ared bv: Business Records ,, Lead,

FIS_,~

Team

TOPS ECR F'l'/iCO!v1lNrri()RCC!NiT\lOFORN

31 August 2009 Production

~f;{F} ImQief_nen~ati~~ of the ForeigJl In..\g~_l!lJ:en.ce Sm:v~iJ~~h1~ c;qu_rt

Autliwrized Business Records FISA.- NSA Revie\'' 25 ,june 2009

<:::1'''-''N'F'' Recorc1.s 1~ -'I"' 1 n r l (.... ! ,; />).til ' ; 'fl1.c B usuwss :ci.A C' ..omp.mnce Kcvrev,r earn o f th .e 'l>.l ,-,atwoa

Security ,-\gency (NSA), in response to instructions from the Director ofNSA (DlRNSA) and as set out in DtRNSA 's Ded<trabon of 13 February 2009 to the Foreign intelligence Surveillance Coul't (FiSC), conducted a comprehensive systems engineering and process reviev.-' of the instrumentation and implementation oftbe Business Records (BR) FISA authorization. This review was focused alcmg the tv,;o major components where compliance issues had been reported-- system-level technical engineering and execution withitl the analytic V;lorkforce.
(TS//Sf//NF) Tbe review entailed 8 major system or process components ofthe BR FISA metadata v-mrkf1ow, 248 sub-components, and 93 requirements and resulted in 9 new areas of concern based on past practice..;:; as described herein. NSA has taken steps, described herein, to remedy the problems identified, and to ensure to the extent possible they \.Vill not recur. NSA has a!so developed plans for both the cunent and future architecture tD provide more rigorous and efficient protection~ contro1 and monitoring of the BR FISA metadata. Implementation of the env-isioned changes in architectural de..>sign and oversight procedures briet1y described in this report will help mitigate vulnerabilities and correct the problems identiHed through the course ofthe end-tcH:m.d review. {C//REL TO USA, FVEY) The end-to-end review revealed that there was no single cause of t11e problems that occurred and, in fact, there ~rere a number of successful oversight, management and technology processes in place thai operated as designed. The problems NSA experienced stemmed from a basic Jack of shared understanding amcmg the ke:v mission, technology, legal and oversight stakeholders ofthe full scope ofthe program to include its implementation and end-to-end desi&'1l. The complexity of the overall conf1gumtion, due in part to tbe intricacy of the system and the difiering rules assoC-iated with 'NS/\ 's various authorizations, was also a contributing factor as \Vas the fact that NSA oversight was primarily fhcused on analyst access to and use of the metadata.
(TS//SL'/NF) This report, which assumc~s a basic knowledge ofNSA's structure and some familiarity with the FISC documents and DIRNSA declarations associated \Vith the BR FISA program~ addresses previously identified and ne'vviy uncovered areas of concern, as well as the corrective actions already taken, and those on-going or plan.ned. to address

these issues. It details the scope of the eod-to-end re:view_, the methodology employed and the resu}ts. H also describes the minimizntio-n and oversight procedures NSA proposes to employ should the FISC decide to approve NSA's resumption of previously authoriztx1 access to the BR fiSA mctadata, to include automa!ed alerting and querying ofthe metudata, as weli as the authority to estabLish whether a telep-hony selector me:ets the Reasonable Articulablc Suspicion ("RAS'') standard for analysis (i.e., regular autborlz.ed access). Additionally, the report ouUi.nes the checks, balances and safeguards

31 August 2009 Production

engineered into the system; points to the need to c!ari(y existing language i.n some cases; and desc.Tibcs enhanced training f:()r the \Vorkfbrcc that is designed to prevent future instances of non-compliance. Finally, the report includes a summary of a proposed

tochnical architecture which will further protect BR f[SA metadata.


(TS//Sl//NF) in conducting the end-to-end review, NSA established a diverse tearn of technical, legal and rnis.sion experts to examine jointly the key functional are:as of system engineering, mission crperations and oversight. The NSA team created an i.trchitectura1 diagram of the end-to-end data and v,rorkf1ow and examined each major system component and su.f:rcornponent to ensure a complete understanding of how the data was handled. In addition, 1"JSA wmpiled all BR FISA-related requirements and evaluated each system and process component against those requirements to identify areas of concern or vulnerability. (U//FOUO) In moving forward., NSA will not only ad.dress the specific technical and proce-ss issues identified in this report, but wUl also implement changes in its program management construct to increase transparency and a\Nareness among accountable parties and establ-ish an enduring view of the full scope of t11e program. (U//FOUO) NSA may produce additio.nal supplements to this report to the extent necessary to respond to additio-nal items that may be of intere:st to the court

A. (U//FOOO) Previously Reported Compliance Issues

.L {U//.F'OtJO) Telephony Activit:.; Oetectkm (Alerting) P.roces$

(TSi/S!//NF) As previously described to the Court, i NSA implemented an activity detection (alerting) process 2 in a manner that was not authorized by the Court's Order, and then inaccurately described that process in its initial and each gubsequent report to the Court. NSA stated that only RAS-approved selectors were inctud<:)d on the Activity Detection List when, in fact, the list included those RAS-approved and nc~n~RAS a.pproved selectors 3 '>Vhich were also tasked fbr content coli~ction by countertenorism analysts tracking subsequent to
1

(U//FOUO) See DIRNS.r\ Declaration dated t3 Februar-y 2009, at Sec.tion,; IH.A. and !LI.B.

(U!iFOUO) NSA nmv refers io the ,'\len Process and the Aleri Li,;t as the Activity Detection Process and the Activity Detection List to more acc.uraldy describe their functions.

:; (TS//SL'/NF) In mid-.fanllary 2009, there weno 1,935 R.i\S-approved and !5,900 non-RAS-approved ;;;deci(..'l"S on the Activity Detection Li:>t. At thai tirne, the Station 'fable (the reference database of all RAS evaluations) had approximately 27,000 selectors identified a>: RAS-approved and 63,000 ~elector~ identified as non-RAS,i:!.pprove.d.

T'CJP SFCRFT/iC'()rv'UNTii()R <:'C)NiNOFOR N

31 August 2009 Production

TOP S LC:RFl'i'COM il\i'f,/01\CO N'I'J()F,.(>RN


the modlfkatinns of the BR FISA Court Order on 8 2007,

,' on14Junc
4

(TS//Sl//NF) The Activity Detection List that was used prior to 24 January 2009 to alert
analysts to a selector of potentia! interest was a list independent of the Station Table, the historic reference database of all RAS evaluations. The Activity Detection List was

compared against the incoming BR FlSA data to assist analysts in prioritizing their work. Some of the select(}fS on the Activity DctectiGn List had br:.:en RAS evaluated, and their status would have been reflected on the Station Table. Others had never been evaluated for R.t...S and would not have appeared in the Station Table. in this latter case, they were treated as non-RA.S~approved on the alert list \liihich meant that contact chaining did not take place in the complete body of archived data until and unless the particular selector had satisfied the RAS standarct . to the Court reflected a similar process (TS//SI//NF) NSA 's de~tion ofthis already in place for the. I pro~-ram, but NSA 's implementation of the tvvo processes V'as . , as described to the Court., the NSA personnel who designed the BR Fl.SA Activity Detection List process believed that the requirement to satisfy the RAS staodard was only triggered when access \vas sought toNS/\ 's stored (i.e., "archived'' inN SA parlance) repository of BR FISA
metadata. The inaccurate characterization ~>vas identified in the course of a meeting betVr'een NSA and representatives from the National Security Division (NSD) of tht: Department of Justice (DoJ) on 9 January 2009. During discussions, DoJ identified vvhat \vas ultimately dctennined to be an incident of non-compliance with t.be Order. After

additional inquiry, NSD/D{)J officially reported the incident to the FISC ern 15 January
2009.

(TS//SI!/NF) Between 20 and 24 January 2009, the RAS-approved portion of the Station
Tab!c was mistakenly implemented as the Activity Detection List in an attempt to address the original problems identified with the akrting process. At that time there were approximately 27,000 selectors on this Jist, approximately 600 of which were designated as RAS-approvcd without having undergone NSA Office of General Counsel (OGC) re\ie\r,' as described in Section U.A.4.
{lJ) Remedial SteQ~

(TS//SU/NF) NSA con1pieteJy shut down the Activity Detection Process against the BR FlSA 11''H:>:tada.ta on 24 January 2009 as a corrective measure.

2. (lli/FODO) TheITV!echanism

-------------1
'

inclt!de---
reasonably believed
(CJ

(TS//S!//NF) As of 8 Augu.o.t 2006, queries of the BR motadaia for t.elephone identifwrs rea$onably believed robe a s s o c i a t e d - - - ivere permitted by the Court. As of \4 June 2007, the authorizi;tion expanded again to indude ueries of the BR melaclaia for tel idcn.ti.fiers

be associated with

to

'!'()[ 1 SLC'RL:Ti/C.'()\r\!NT. ORCC)N/NO.FORN

31 August 2009 Production

(TS//Sl//NF) As previously reported to the Court, 5 from May 2006 to 18 February 2009 . NSA intelligence analysts who V;rere vvorking countertermrism targets had access to a tool kno\vn as - N h i c h was used to assist them in deten11ining v.,rbetber or not a telephone identifier of interest vvas preserrt in NSA's metadata repositories and, if so, what the kvel of calling activity was frJr that selector. Between these d a t e s , in turn, accessed the data present in the BR FfSA metadata repository to assist in responding to these questions.- is no-t a tool used for contact chaining. Rather, fen eacb query of a specific telephony sck:ctor, t h e tl!O returns the nurnber of unique contacts, the numbe:r of cnHs made, the dates of the first and last call events recorded in NSA 's data repositories and the amount of thne it took to process the query. [t does not return the actual telephone i.dentif!ers in conta.ct with the~ selector thRt serves as the basis for the analyst's query. Though can be used as a stand-alone tool it is more common invoked other

(TS//SV/NF) On 19 February 2009, NSA contlrr:ned that ~erfom1ed que1ies against the BR FlSA mctadata repository using non~RAS-approved selectors~ It was also coni1nm.x1 that analysts vvho were not BR FISA~authorizecl inadvertently accessed BR FISA metadata without realizing it as a result of a c c e s s i n g - The results

returned from this tool did not identify to the user whether their results came from BR FlSA or from metadata collected pursuant to NSA's authority to coUect signals intelligence infomw.ticm under Executive Order (EO) 12333, but rather t;;ombi.ned them into a consolidated summary.

-f<:;))OSitory.
5

(TS//SI//NF) On 20 February 2009, NSA removed the specific system~ level certificate {cryptol<)gic authentication ten software akin to a ticket used to confinn the bearer is entitled to that had allowed the BE FISA-enabk::d

Out of an abundance of caution, NSA also rnade soft\vare ch Ivtareb 2009 which removed analysts' abi1ity to manually in -..tga.inst BR FISA m.ctadata. \Vhile- cou.ld still auto,a"'c'"''~'

(Ui/FOUO) See D!RNSA Suppleinenlal Declaration dated 25 Fckl!1rary 2009 <It Section II.A. & B.
automated

(' (TS!/S l:'/NF) The rernoval of the systc1m-leve! certificate c.ut off all access to the BR FlS A metudata chain

Tf) P SF.: C R F L'/C 0 MiNT//() h'..CON 'N 0 FORi"l

31 August 2009 Production

invoked via the Automated Chaining Analy~is Tool (ACAT), 7 as stated, the revocation of the system level certificate prcvcnte<.- from accessi.ng the BR FISA metadata chain repository.

3. (t.i//FOUO) Improper Analyst Queries

. . l reportec:! w ' 'h ,H -v,ras .1\TS' A' 1ssues prev1oUSf)' L ,e (';our;; l" ,, s disco\'ery that betvveen 1 November 2008 and 23 January 2009) three analysts inadvertently performed chaining within t h e - BR FlSA metadata repository using '! 4 di ffcrent telephone identifrers that did not meet RAS approval prior lo the query.
The analysts did not realize they were querying the BR FIS/',_ metadata and none ofthe

'1'-' 'C'f'')'l~ L \ >:di0v'i \!r') A \rnong t11e comp 1' mnce

identifiers \Vas associated with a U.S. telephone number or person. Based on a11 audit of
other queries the analysts were conducting at the same time, it appears each ana1yst thought be or she \vas conducting queries of otb.er repositories of telephony metadata that are not subject to the requirements of the Business Records Order.

(TS//Sl//NF) NSA i k'1nented the Emphatic Access Restriction (EAR) to ensme that contact chaining in the BR FISi\. repository is restricted to only those seeds that have been RAS-approved.. support personnel have conducted tests to ensme the EAR is functicmjng y monitoring m.anua! query input and output, evalua6ng individual and connected functions, as well as examining log f1les to ensllre the results of manual queries, now with the EAR in place, produce the desired results. Earlier NSA had also introduced. a safeguard reg ihe

acknowledge that they were abo-ut to access the BR FISA metudata further reduce the potential for additional instances of non-compliance. crre and rigorous training aiso emphasizes the need for caution when invoking their BR FlSA
authority. N SA ,vi!J restrict the
se!<~dor

is in the process of finalizing the testing of a sof'!~;vare modifkation v..,hich


, to chaining no more than three hops frorn a RAS-approved BR FISA metadata reposit(}ry,

\1\titbin

Intema11 au d.1ts 01 rtne ' . '. "N.C>>~ ' . l to query t~ actrv1t1es or 2>n personne1 autnonzec 11e data Lmd.er the 5 March 2009 order since 17 l\liarch 2009, when the Cowt approved the
( -~---';S'.'N'"') 1~~~ ,/; r.

first hatch ofBR FISA metadata selectors as meeting the R,'\S standard, have shown no

-further ccm1pli.ance issues.


4. (TSf/Sl!/NF) U.S. ldenW'iers Designated as RAS-Approved without OGC
Revie'\v
'! (Ui/FOUO) The relationship betv,een the tools, can be found in the Appendix, Glossary ofTerms.
!i

and A.CA'f

(U//F01,!0) St-'1:.": DIRNSA Supplemental Declaration dated 25 February 2009 at Section H.B.

'1\ii' S FC'REri/(\.l!vtlNT/ OFC'0i"4'N()F01.~ N

31 August 2009 Production

(TS//SI//NF) Bct\vcen 24 May 2006 and 2 Fbruary 2009, NSA designated approximately 3,000 U.S. selectors as RAS-approved on the Station Table without
undergoing the required OGC approval. This set of numbers was derived tram two time periods: 1 January 2005 to 23 May 2006 and 24 May 2006 to rn.id-December 2008.

(TS//Sl//NF) /\.pprox.imately 600 U.S. selectors that had been tipped to FBI and CIA betv. . een t January 2005 and 23 May 2006 as having ties to known, or probable, teiTorit;t entities were added to the Station Tabie after the BR FISA Order was issued in an effi:rrt ti) ~jum. .pstart'' the BR FiSA operations. These 6[)0 U.S. select(~rs did not undergo OGC revie1v.
(TS//Sl//NF) Betw~>en 24 May 2006 and 6 May 2009, NSA issued 277 BR FISA-based reports, all of which 'vvere based on contact chaining of RAS-approved selectors. Included in these reports were tips to customers (FBI, CJA,. NCTC, and/or ODNJ) of U.S. telephone numbers w~ct \Vith a RA ved selector associated \vith____ orwere\vithin three hops of a RA S-approved selector. For those reports issued bet\:'./een 24 May 2006 and mid-December 2008, NSA took the additional step of designating as RAS-approved io the Station Table the subset of these domestic selectors that ~overe tipped as having ties to. known, or probable, terroristentidcs. However, these selectors did not undergo the required OGC review. For this entire period (24 May 2006 to !.5 December 2008), the total number (}[U.S. selectors added to the station table as RAS-approved, but without the OGC review, was approximately 2,400. 10
9

(TS//Sl//NF) At the time the RAS-approved portion of the Station Table was mistakenly implemented as the Activity Detection List in mid-January 2009, as described in Section

'I (TS!/Sii./NF) The mtmbcr Gf reports inclnded in the D!RNSA Dedaration of 1.3 February 2009 1.vas 275. This was based upon inf(rr.mation gathered on 6 February. Further review ha,; taken into account the fact that an r.dditiomd report "''as is~>;ued after 6 February, but before !3 February. Some oftbcse reports had beco cancelled for various rea.sonH and some of the cancelled reports were reissued with ccrrectiDns. Therefim:, the c(mect number of unique reporls as of the 13 February :?:009 declaraLion should have been 274. Since \.h(~n, additional reports have been ismJcd for a t'urrem l.otal of 777 (BS of 6 May 2009). The. Dedaration a !so stated th1t thel'e were. 2,549 selectors tipped in these reports. The actual number of selec!or;,: tipped in the 2:74 reporr~ ig 2,R88.
Jil (TS//Sl!/NF) .Approximately 1000 of these sekctors fn:nn the pG:;t-23 May 2006 era .:vere reported to customers as having only an indirect cormecticHl to knovm or probable terrorist l:;ekctors. lt was not NSA policy to include this cale.gory of number~ in il1e Station Table as "RAS-approved." However, au error ">"~<lS macko during a bu.!k upload to the Staticm Table of tipped numbers on 9 December 2008 and these numbers were inadvertently induded. They \Vere present on lhe Station Table as RAS-appraved until the entire :~ei

of2,400 U.S. ;>electors were changed to "not R.t\S-approved" on 15 December 2008 (six days later). An

audit of !he Alert S\'stem, t l i e - S\'Slem and the Transaction Database &hmved that no c.hain1ng in . ' rhe BR F[SA metadat;; was perfonned on these numbers dur-iug this period.

T<?F' SLCRET//CO:'v11HT/{)RCON/NOFORN

31 August 2009 Production

1 61

-l.(H'

SE(:'RETi/C:O~v'lfN

l' iU.RC'ON,NOFORN

1LA.l., approximately 600 11 of the U.S. selectors t!om the Table had not undergone the required OGC review. Forty-six of these approximately 600 selectors generated alerts as a result of lhe actions described in Section U.A. 1; however, none of the resulting analysis based on these alerts yielded info-nnation that was subsequently tippod to customers. (TS//Sl/!NF) Designating these l)_S. identifiers as RAS-approved \Vithout the required OGC review grew out of a related practice that 'I'./ SA applied briefly to its developrnt-'Dt of the Telephony Activity Detection List in 2006. Specifically~ in its first periodic report to the Court as directed in the initial May 2006 Order, NSA stated that U.S. identifiers that had been repented to FBi and CIA prior to 24 May 2006 because of their direct contact witl1 intemat.lonal terrorism selectors had also been added to the alert list, even though they had not been qualified as seed identifiers and had not been revie>Ned by OGC. Whjle the initial report explained to the Court the NSA rationale for the beiiefthat these identifiers did not need to go through the fu.H app-roval process to be included on the alert !ist, the November 2006 90-day report also stated that the practice had ceased as of 18 August 2006. Although the use of this process to add identitJers to the Alert List did cease on that date, NSA failed to discontinue Lhe process of adding selectors to the Station Tab 1e.

(TS//SU/NF) In early February 2009, all selectors that the OGC had not reviewed \-VGTe changed to non-RAS-approved on the Station Table. B. (U) Nevdy Identified. Areas of Concern

1. (S//N

- - N o t Audited Prior to January

2(?09
(ti) De:?Jcdpt[on

(TS//Sl!/NF) January 2009 discussions between Ov the BR FISA-a.uthorized analysts revealed that the not been au N SA's repository for individual BR FJSA metadata one-lwp chains, prompting further investigalion as part of the end-to-end review. Prior to that time) NSA O&C was not a'\vare of its existence in the technical architecture and therefore did not audit the database.
([J) Remedill!l Steps

(TS//Sl//NF) Between May 2006 and January 2009, logging capabiiity recorded al1 queries via the ana.tys:t
{TS//SU!NF) These were the approximately 600 trom the pre-FfSA era; the others had be:cn changed to "nut RAS-appmved"' In mid-December 2008. llle bilure to remove ihese approximately 6DO numbers was aD oversighL The 600 selectors were changed to ''non-RAS-approved'' on the Station Table in early Febmary- 2009.
11

31 August 2009 Production

to the data within t h - to include tbe user's login, lntemet Protocol (IP) address, date and time, and retrieval request - all fieids required by the Order. AmLlysts use the
to verify the specific call event details between tv;'o individuals--

such as which selector initiated c:-:-ach call) when the caB was initiated and how long
the call lasted. However, sometimes to verify the call details of a communicaticm event the ~malyst uses the selector that was the t1rst or socond hop result as the retrieval request. Because of this, the sod ector that was the RAS-approved seBli is not always evident in the ln J 2009 N SA took steps to augment the information recorded in system log to include the RAS-approved seed that the user was asserting to be 'Nithin. two hops of the selector being queried. O&C began auditing queries to the database in February 2009. Since this enhanced auditing capability was added, O&C has audited the BR FISA-a.uthorized int:elli analysts' ueries and f{mnd no evidence of improper queries. Although the suffered a sy:;tem crash in September 2008, NSA . cient data to permit O&C to conduct sample audits of queries since the Order's inception. These sample audits revealed no unauthorized analysts conducted qucri(~S against the BR FISA me:tadata and no authorized analysts conducted improper queries of the metadata. (TS//Sl//NF) As is outside the architecture, it is currently not protected by the EAR. NSA \iill functionality into the corporate architecture to provide greater a 'ty and to help ensure compliance with the Court Order and any future requirements. Reconstituting this database ~vithin the corporate architecture will ensure that it is established and supported on systems that use corporate authentication/authorization services, use system security and configuration management practices 1 are certified and accredited \Vith approval to system s p-!an(;:,._~-;, .,., sc.\ '~ abovc a11 emp1 " operate on an act1ve ~ ecunty anu oy sortware measures that minimize complianc~e risks,

2, (TS//SWNF) nata Integrity

AnaJysts~

Use of BR FISA Metadata

(TS//SI//NF) As part of their Court-authorized function of ensuring BR metadata is properly fonnatted for analysis, data integrity analysts seek to identify numbers in the BR mctadata that are

(tJ!/FOUO) An SSP is a fcmnal document de:::crihing the implememed pmteot~tion measure~ for !he secure operation of a computer system.

t'

31 August 2009 Production

163

\.VOu!d not only take steps to prevent the selectors becoming part oftJ1e analysis in the BR FISA context, but \Vould also note them a s - selectors in other NSA systems in order to similarly prevent them from heing included in analysis conducted outside the BR FISA context NSA. detemJined that the data intcg!lty analysts' practice of populating numbers in NSA databases outside the BR FlSA databases had not been

(TS//SU/NF) For exarnple, NSA maintains a database, hich is widely nsed by analysts and designed to hold identifiers, to include the types ofllll
-numbers referenced above, that, based on an a..Dalyt.ic judgment, should not be tasked to the SIOH-.IT system. !nan effo-rt to help minim.ize the risk of making incorrect associations between identifiers and the data intet,rritv analvsts provided the BR metadata . A srnaU mt~ber ~filii BR metada-.ta business numbers Viere stored in a that '\.vas accessible by the .BR F!SA-enahled- a federated query tool that allowed approximately 200 analysts to obtain as much inf(mnation as possible about a ar seiector of interest B{)th and the BR FlSA~enabled allowed ansJys-ts outside of those aut,l-torized by the Court to access th number lists. The end-to~t'nd

review has not ide~titied any other systems that have been fed u s i n g numbers uncovered by the data integrity analysts from: the BR FISA metadata.

(TS//Sl//NF) Similarly, in January 2 0 0 4 , - deveioped a 'defeat list' process to identify and remove selectors de-emed to 1:-,e oflittl_e analytic value and that
fn building defeat lists, NSA selectors in data acquired pursuant to the BR FlSA Order as \veil as in data acquired pursuant to EO 12333. \Vhen candidate selectors

identitJed

contained in the BR FISA metadata \Vere found to have a obtai ned approval from the

mtegnty to those come BR FlSA metadata, to be added to tbe defeat list This resulted in atl references to those selectors being removed from al1 o chain databases, to include the database containing and processing data pursuant to EO 12333. Since Au 2008, also bt--en sending all selectors on the defeat list to the

{U) Remedial Steps (TS//SI//NF) On l 1Vfay 2009, NSA determined that the data integrity analysts' practice of

populating- nurnbers in to access this database Vias an


quarantining the BR-derived identitlers in 2 M:ay 2009. Access to the ti1e containing the-sm

and using BR FISA-enabled


/\immediately began completing the action by R-dcrived

TOP SF.t''RFTi'C'CJr.,.:lJN! ''C!RCON/NOFORN

10

31 August 2009 Production

'['iW SECR LL'C'C)fVllr~ri.'OR('()Ni~"\lOFORN

identifiers by the BR FlSA-enabled-Nas shut off on l2 ?vhy 2009, when file-s created by the data integrity analysts l"lere moved to a protected work f1le systen1.

(TS//Sl//NF) NSA
on 11 2009

dete~gl:t se:ect~rs

f!om the BR FISA metaclata have


m November 2008,

ever been added to t h e - l i s t Start! began to maintain defeat lists for BR FISA

t list. The BR F!SA defeat lisi.

removed the eight BR FfSA selectors from its will no longer be

un ' th1s issue is resolved.


(TS/iSI//NF) As the positive impacts that result in making these numbers available to analysts outside of those authorized by the Court seem to be in keeping with the spirit of reducing unnecessary telephony collection and minimizing the risk of making incorrect

a.ssodations between telephony identitiers and targets, NS/'.,_ vvill work wi.th DoJ to seek
l ' ' ' i3 (~ ,ourt approva, ro contmue such practices. -

3. (TS//SV/NF) llse of Correlated Selectors to Query the BR FESA lV!etadata

- revJe\:v revea Jeo tthe f'act t h 01 L' usmg enrJ-to-ena .at NsA' t :,_ s pmcnce correlated selectors to query the BR FISA metadata had not been fully described to the
1 'N __ . ~h 1, .11 .~n !-) J e ( -~ssr

Court_ A communications address, or seiector, is considt.'1'ed colTelated with other communications addresses -vvhen each additional address is shown to the same

the BR FJSA metadata routinely used to query the BR F1SA metadata Without a separate RAS detennination on each correlated selector. In other words, if there WIIS a successful RAS determination made on any one of the selectors in

- O U O ) See App~:ndix l, Glossary ofTerms, for eY.pan~ion and defi:nition

TOI' SFC'f{E-l'i/C'OMlNTiif)RCC)N.'NOF:ORJ\

31 August 2009 Production

the correlation, a11 \Vere considered they were all associated with the

roved f(:;r purposes of the

que1~y

because

ccme!ations fi:urn a variety of sources to include Intelligence Cor:nm reporting, the tool that. the analysts authodz,e-.d to the BR FISA metadata primarily med to obtain the c(melations is caHcd . A description ofhow is used to correlatewas included in the govemment's 18 August 2008 Ji.ling to the F1SA . \Vhile NS/'1. previously described to the FISC the ce of using correiated
(TS//Sl//NF) Although NSA obta correlated selectors selectors as seeds, the FISC never addressed whether met the RAS ~iandard Vihen any one of the correlated ectors met the RAS standard. A notice \\'as filed with the :r'lSC on this issue on 15 June 2009.

HJ) Remedial Steps

- - a database that (TS//SI//NF) The holds corn:::1ations betvveen selectors of interest~ to include results from was the primary means by 'vvhich correlated selectors "rVerc used to query the BR FISA mctadata. On 6 February 2009, prior to the implemt.'fltation of the EAR,-<> access to BR FISA metadata \vas disabled.) preventing- from providing automated e:orreiation re::mlts to BR FISA-a.uthoriz~;d analysts. In ad the implementation ofthe EAR on 20 February ended the practice oftreatin correlations as RASapproved in 1mmual queries conducted wiillin 'nee the EAR requires each selector to be individually RAS-approved used to query the BR FlSA
data. N SA ceased the ractice of '\:vithi11 the Order. correlations as RAS-approved in conjunction with the March 2009 Court

4. (TS//SV/NF) Handih1g BR FI.SA rvtetadata

(TS//Si//NF) 'rhe results ofthe Homeland Secmity Analysis Center (HSAC) ana1ysts' BR FJSA metadata contact chaining queries bave been routinel made available to the hroader population ofNSA analysts working - T h i s sharing helps ensure that analysts w1th &peel. target expertise c::1n apply the full scope of their knowledge to the BR FISA-generated information to identify ali possible terrorist connections quickly and characterize them 1Nithin the context of the target's known activities. With only 20 HSAC anaiysts approvt:d to query the bulk BR FISA metadata and more than one thousand analysts v,,.orking vmious aspects of the counterterrorism mission entcrprise-1vidc, fewer than t\.vo percent of counterterrorism

roP sr:C'RF:'r/.'C'()tv1lN'l' /()RCON/NC)FORN

12

31 August 2009 Production

analysts cutrently have the authority to access the BR FlSA metadata. Thus, the collective experience of the BR FISA-authorized tma.lysts represents a small fraction of NSA 's overall expertise on counterterrorism targets. CT target analysts beyond the small

numher currently authorized to query the BR F!SA metadata are responsible fbr analyzing the data in the CGntcxt ofS1GINT infom1ation and \vriting reports; this practice continued under the structt.!re imposed by t11C lvlarch Court Orders. NSA believed such
intemal sharing ofthe resu.lts ofits analysis (as distinct from the buik metadata itself) 'Vias consistent with the Court's Orders. but had not included a descri of it to the Court in

to Ma 2009,

(TS//Sl//NF) ln addition, the Court Orders prior to 2 March 2009 state that "any processing by technical personnel of the BR metadata acquired pursuant to this Order shall be conducted through the NSA's private network, '<.vhich shall be accessible only via select machines and only to cleared technical personnel, using secured encrypted communications." The end-to-end re\'ie'i'-' revealed that the way in which NSA protects the data is not precisely as stated in the Court Order; however we 'believe NSA's implcrnentation is consistent with the intent of preventing unauthorized users t'rom accessing the data. For e:r. .ample, there ate not specifically designated or "select" machines irom which technical personnel access and process the data on NSA 's private, secure network The internal NSA communications paths on its classified networks are . ' an d secunty . access contro . Is 15 DOt encrypted, out are su b. Ject to strong p h ysiCEll \V h.rc.h provide the necessary protections.
< '

(TS//SI//NF) The end-to-end revieiV also revealed that data integrity analysts, in order to conduct their authorized duties, pull samples of rav-/ BR metadata into their private directoric~s on the NSA network, which they aecess via username and pa.<~sword, to analyze the metad.ata in order to develop ne1-v pP.rsing rules or prepare samples for spot checks. The pti vate directories offered them a \Vorkspace to analyze the metadata using tools and applications that they could not invoke in the - W h i l e these 'vate directories could be i''''""'""~''""'j repository to the two described to the Court, repository. The data integrity analysts are authorized to access th<:! d.ata.,. and any imp01iation to their ovm systems was deleted Vlhen no longer heeded. (TS//SI//NF) Additionally, the revic\v uncovered that data integrity analysts, in conducting their authorized duties 7 copied da.ia into t\VO shared directories created for
(TS!.iSli/NF) The NS/'; complex is a Sensirive Cornpartmenied Information Facility (SCIF) that is <lil accredited insta!latiol1, incorporating strong physic1;l and securit-y access control measures (barriers, lockl<, alarm systems, armed guaJ-ds). to which only authorized pcr&onnel are granted access. \Vithin NSi~, onl:t apr>roved Llsers of NSANET can ~win access to tht:.' network through login and password. Once on the m~t\vork, the user cm1 onlv acc.es;-tbe HR F!SA metad.ata if additi~mal access controls spr::cif!cally a.ll.ow such access. Accei>s to pa~ticular data sets i~ granted based ()D Med-to-know and is verified via PLlblic Key Infra,;tructure (PRJ).
15

31 August 2009 Production

restricted infbrmation with a controlled user set These shared directories also offered aGcess to similar tools and applications as mentioned above. NSi\ learned that roughly 170 rx~rs.orme.l who at one time had bt--en deared for sensiti;,,: metadata progn:u11s had

access to files on this server. Approximately 15% of these perscmnel were system
administrators or data integrity analysts; the remainder included intelhgence analysts, rna.nagers and engineers. \Vhde it vvas possible for the files to he accessed by any of these personnel, it is unlikeiy that anyone other than data integrity analysts would have:: done ~;o since it '1-Vould have been outside the scope of their duties.

(TS//SI//NF).A notice \iiias filed 1-vith the FISC on the matter of sharing results of queries
within NSA as it rel.ates to the BR FlSA Order on 12 June 2009. While NSA believes the ability of BR FrSA-authorized analysts to shaxe unminimized broader population ofNSi\. a.rl.a.iysts ;,.vorkingis critical to the success of its countcrt:::rrorism efforts~ effective 18 June 2009 NSA began the process of limiting access to unminimi,ed BR HSA metadata resuhs too authorized analysts.

I.

- t h e Court explicitly au contmuatwn ng o authorized queries with NSA ana!yst.s other than the limited number authorized to access the bulk metadata, provided all analysts receiving such results receive ",...,..,,..,,,,~,..,
adequate training. n}e government anticipates seeking in

the BR FiSA context. (TS//Sl//NF) Regarding the handling ofmctadata by technical personnel, NSA implemc.ntcd additional. access controls us1ng UNIX group acc:.ess control which assured
that only the data integrity analysts were in the "group'' which could access this data, and

is providing appropliate protected storage areas for the data integrity analysts' work files.
With regard to the manner in v.-hic.h NSA secures the BR FISA metadata., NSA v,rill v~orlc i?v'ith DoJ to more accurateiv to the Court the cu1Tent ... reflect in anv future wmlicaticm t method of providing protection. fnstead of ac1..-essing the data via select machines using secured encrypted communications, NSA provides protection through the use of the
~ ~

secure network; use of NSA.'s identity and authorization access control service; and other

NSA corJ:>orate standard data protection services,


5. (TS//SU/NF) System Developer New Tools
Acct.~ss

to .BR HSA Metada.ta

~'vhile

Testing

(TS//Sl//NF) In it8 revimv of all tools and interfaces that allowed access to BR FlSA metadata, NSA determined that developers assigned to v;ror~ -next eraticm metadat.a anal user interface (GUI) which is the replacement had queried BR FlSA metadata chaining sumrruLries during ce>un;e their testing bet\Veen 26 September

2008 and 1 I Fcl1nrary 2009. This a.ccess occurred due to the dua[ responsibiHties of the

14

31 August 2009 Production

individuals involved, Th(; developers on


responsibilities for the operational system,

also ha,ve maintenance


their access to BR FtSA

is \Varrantcd on a continual basis, While the a ons ,were in keeping \'Vith the Court Orders that V>-'ere in placrJ a1 the tirne of the queries, access to the BR metadata was
unintentional and unknown to the developers at the tirne,

n:.n Ren-uedial Stegs


(TS//SI//NF) \Vhen this issue emented a software change on 19 March 2009 to prevent the GUr from accessing [3R FfSA metadata regardless of the user's access level or the RAS stalus oftb<~ selector_ NSA aiso implemented an oversight process \Vhereby all BR FISA-authorized technical personnel \vho have both maintenance and develop1T1ent responsibilities have their accesses to BR FISA metadata revoked when involved in new systems development This process v:,rill ensure no inadvertent access to the data until such time as these technical personnel receive OGC authorization to access BR FISA metadata to test technological measures

de.<.>igned to enable;; compliance with the Court Order. T'ne NSA O&C 1s notified each
time anyone's pennission to access the BR FfSA metadata i.s changed and tracks these changes for compliance purposes. 6, (TS//SWNF) Provider /;\sserts That Foreign-to- Foreign Metadata VVas Prnvided Pursuant to Business Records Court Order

metadata started c.cnning into NSA in January 2007.


fll} Remedial Step;s

. lS DO"V

spec1 fT-um its scope the aforementioned foreign-to-foreign111etadata. The provider ceased pror,'iding this rnetadata on the same day as the Order was signed, NSA is coordinating \Vith the provider and the
NSD/DoJ to resolve this matter. 7. (TS//SI/rNF) Onintentional Omission o.f OGC Revfew of U.S, Identifiers

15

31 August 2009 Production

T()J' SFCRL"TiCOiVIfN'fiifJJ\Ci)N/NOFORN

(TS//S l!/NF) It \Vas recently discovered that during the June through October 2006 timefi:ame, in the proceE:s of implementing the initial BR FISA Orders, a few domestic numbers were designated as RAS approved and chained without OGC approval due to compou.nd analyst errors. These errors occurred \Vhen analysts inadvertently selec!ed the incmTect option in a Oll L The correct option 'Wl..mld have designated the domestic identifier as needing OGC approvaL The incorrect option put the domestic selector into a large. list of foreign selectors "vhich did not need OGC approval as p.:ni of the RAS approval process. In those cases v.;bere the Homeland Mission Coordinato-r (HMC) failed to notice the domestic number in the targe list of foreign selectors and i.he RAS Justifka.tion was approved, the number \Vas chained. NSA continues to investigate this matter, but, based on available rewrds, NSA 's initial estimate is this occwTed fewer than ten times. NSA wili prrJ'I.ide additional information as appropriate. A notice was filed with the FlSC on this issue on 29 June 2009.

{TSi/SI.//NF) Each time an error was identified through quality cont.ro1, senior HMCs

prov-ided additional guidance and training, as appropriate. Continued training and management oversight, in particular when new analysts arrived, helped ensure such errors v,:ere not repeated.
8. (TS//SIJ/NF) Exten:nd A.ccess to Unminimized .BR FISA l\'letadata Query Results

(TS//SI//NF) !.n examining NSA 's pn:1ctice of sharing BR FISA metadata internal. with other NSA analysis working auth(Hi.zedNSA learned of CIA, FBI, a.nd NCTC analyst access to unmiru A metadata-deri ved query results and target knowledge information via an NSA counterterrorism database, This rnatteL. just recently identified, \Vas a col.laboration practice that vvas in place prior to the inception of the BR FlSA Court Order. Over time, approximately 200 analysts at CIA, FBI, and NCTC had been granted access to this target knm;vledge base. \Vhen the BR program was brou&1t under the jurisdiction of the FrSA Court, this p-ractice llv'as not modified to confonn with the Order's requirenwnts for the dissemination ofBR FlSA metadata-derived query results outside ofNSA. A notice was filed ,~,,it.h the FISC on this matter on 16 June 2009.

(TS//SU/NF) While NSA disabl1;d the hyperlink button used by the external analysts to

access this target knowkdge database in the Summer 2008 tlmeframe; NSA teamed. that the external anaiysts could have s.till accessed the data if they retained the URL address.

16

31 August 2009 Production

TOP SEC RC! /iC(l!vffNT/i()EC'CJN/NOFORh'

Upon identifying this as an area of concern o-n 11 June 2009, NSA began terminating
external customer accoun1 access to the target kno\vlcdgc database, completing the action

by 12 June 2009. NSA is continuing to investigate this matter; audits are novv underway to determine the extent to v,rhich the query results may have been accessed. Once comp1eted, NSA win provide a full explanation ofthis practice.
9. (TS//SII/NF)
Di1;\semi~H~tion

ofBR Ff.SA Information

(TS//Sl//NP) When an NSA analyst determines tbat infom1ation identifying a U.S, person

is critical to include in a metadata report, he or she is required to obtain dissemination authorization from the designated NSA approving oH!ce in acc.ordance with the Court's Order. Specif:kally, the order requires that prior to disseminating any U.S. person infom1ation outside: of the NSA, the Chief oflnfonnation Sharing Services must determine that the inf{mnation is related to countetierrmism ini~Kmation and is necessary to understand the information otto assess its importance. In fact, the Chief of lnfonm'ition Sharing Services, when unavailable, has in the past delegated this authority, typically to the Deputy Chief: A.dditiona.Hy, after hours or in an emergency situation, this authority has a!so been deiegated to NSA 's Senior Operations Of:fker (SOO) in its National Security Operations Center (NSOC). BR FISA metadata analytic results also applied to '\vhich wa.s established to among NSA's
atton ( fs), su to

sensmve m

- Queries~ called Requests

ssem.ina.ted to a11 the partners fc.r response. Only those RFls that the er111ined were BJlS\Verable by NSA were forvv.arded to the HSAC. HSAC queries i.n re,"Sponse to the RFis '\,:vere only perfbrrned a.gainst valid RAS~approved selectors. T h e - standard operating procedure was to minimi.z.e HSACs results and then merge them with the results of all partner nations witb any sourcing ini{nmation
sanitized. Ofthe 12 RFis sent to HSAC from the. bctv,een 2007 and 2008. HSAC affirmatively responded to only f{mr. The tum, provided the results oioneJ() of these RF1s, in a sanitized format, back to Second Party requestor. While the query resuits were saDitized to remove information regarding the collection source., it 1va.s recent!' J discovered that t1vo U.S. ielevhonv ... identifiers derived from .BR FISA metadata analysis results \Vere inadv ng minimized b~with the 17 As it was n o t - practice to disseminate . person m atwn, obtaining dissemination authorization f)om the designated NSA approving office was not pari: of their process.
~.

I(,

IU//FOUO) 'T'he RFl rc::<ponsc is not a suh~~:t of the 277 reports cliscllssed earlier in Section ll.A.4. ' .

TOP SFCRETI/C:orv'iiN'L iORC'ONi\JCJFC:JRN

17

31 August 2009 Production

(TS//SI//NF) NSA is currently ccmducting a review ofa.tJ.y BR FISA metadata~derived repo-rts that contained U.S. person identif)~ng infi:mnation to determine consistency \Vi.th

the Court's Order. Once this is completed, the results will be provided.

JH. (Ll//fOtJO) NSA.~s End-to-en.d BR

f:J~jt,.

Revie'w

A. (ti) Scope
(TS//S U/NF) NSA established a team of experts to conduct a thoroug.l-J end-to-end systems enginee1ing and process review of the BR FISA metadata worki1ow. lne team reviewed 93 requil"ements extracted fhm1 the March 2009 BR FJSA Ccmrt Order,

Application and Declaration; dataflow diagrams; and system documentation (to include systems engineering and security plans) to ensure a c.mnplct(~ understanding ofhow the requirements were being met prior to 2 1v1a1ch 2009, hmv well they arc currently being
met, and what changes may be needed to ensure compliance, The team then used these requirements as a basis to examine six key aspects (systems architecture, analyst worki1ow, n1ana.gement control, compliance auditing, oversight, and training) ofNSA 's

handling of BR .FISA metadata, and to establi.sh a comprehensive plan to ensure that a11 requirements are addressed and properly implernented,
(TS//Sl.//NF) Another critical step in preparing to conduct the end-to-end review was to

identify and map bmv all the system components tit together. Lack of,such
awareness contributed io the problems initia.lly reported to the FISC.i 8 Tbe systems/processes reviewed 'Nere:

end-to~end

I.
2.

3.
4.

reposrtory ind1vi ual BR FISA metadata one-hop 5. the Telepholl.y Activity Detection (l\lerting) Process 6. the Reasonable Articuiablc Suspicion (RAS) Approval Process 7. tl1e BR FlSA Analytic Tools tmd Processes 8. the BR FiS,~. Analyst Decision and Reporting Process.
'R (U//FOUO) Se:e Deciaralio11 of lhe Dlrec.tor of the National Secur~ty Agency (DIRNSA) dated l3 February 2009.

10r1 SI;(.'R ETi.'('()rv! ff\iT/iORC'ONr\OFOR ;. .;

18

31 August 2009 Production

1op SLC'RE.T/i('(J\11 N'f/iORC\)N.NOFOR N

ases are accessi to BR FlSA-authorized intelligence ysts. analysis also use the tiJllo'vving processes; the Activizy Detection (Alerting) Process, the RAS Approval Process, the BR fl.SA Ana(ytic h>ols!Processes, and the BR Fl5'A Analyst Decision/Repotting Process to identify, query, analyze and ultimately disseminate information dc!i,ed from the metadata. These eight components, part of a large and complex system, arc further described in Section m.c. and pictured in Fig11res 1-10. Figure 1 provides a top-level view of the overaiJ architectural system, Figure 2 highlights the eight components, while Figures 3~ l 0 highlight each of the individual components in b,JTeater detail Each component is retlected '\Vith correspond-ing colors in the diagram.s.

(TS//SI//NF) In concert. with this systems engili.eering end-to-end reviev-,1, NSA conducted
a thorough review of its analytic processes, management controis, auditing mechanisms,

oversight and training for the BR FJ.SA mctadata handling. This included a thorough
examination of each activity, too! and analytic process to assure thai it operated in comp1iarlce v. :jth the Court Order. The rcviev,; Jed to several addii:icmal audits to ensure that no compliance incidents had occurred and to eY.amine whether or not the individuals who \Vorkecl with the BR FlSA metadata fully understood the appllcable authority and limitati.ons. Documentation and training were also updated. Each part of the review compared the component or process being reviewed with the relev~'1t rer...Juirement from the list extracted hom the Couti documents.

NSA' . . anc1work" . . processes ; s systems engmeenng -nm.v revrev:s surveyec1U1e and tools as they existed before any remedies v:,ere implemented. This retrospective evaluation enab1ed NSA to develop the near-term corrective m.easures necessary for current Court-approved opGYations and. potential resu111ption of regular access to the BR FlSA metada.ta should it be authorized by the Court. It also infonned plans for incorporating the BR F!SA flow into the NSA future architecture more effectively.

'NF) (~'S''S'. l L t/ 1/it ..

R (U) Methodology:
(TS//SI//NF) l-.JSA employed a repeatable and well-documented process in conducting its cnd~to-end rcvievi_,. NSA derived technical requ[rements from the legal. requirements governing BR FJS.A metada.ta handling. As noted, NSA simultaneously began to develop an end-to-end systems engineering dia&,rram ofthe systems and databases that support BR Processinf! and storage, NSA also devdcmed. and conducted Initial Privacv Assessments ([PAs} which include a standard set of questions used to determine, among other things, whether the system or process under re,riew interacts '>Vith data that could contain inHmnation about U.S. persons. The outcom.e of the IP/\ determines whether a more in~
l....< ._.

...

19

31 August 2009 Productio

Impact 1\.ssessn1cnt ' . ' J 9 ts . reqmrea ' 1 to .!' I explore '" extent O<. .t.' 1 IA.) !:U !.y the interaction and whether any privacy compliance concerns exist /\n IP A \Vas conducted for any system or process identifjcd as potentially part of the BR F!SA metadat11 end~to
J '. r- . Ciepth r'nvacy

en

end data Dow. For those systems con tinned to be in contact with BR FlSA metadata via.
the IPA, a PJA vvas perfonned. The results oft.he I.P As and PlAs were then ccHnpared ai!ai.nst the Court-derived r-equirements to determine the level to which each requirement . . was sabsfled. For an:y system or proc.ess f{;r which there was concern, !'-~SA is developing \VeB~documented, fuily-tcstcd corrective solutiom\ ~:hould the Court dedde to allow NSA to resume its regular access.
~

1. (tJ//FOVO)

m b .. Upon recei sorts and labels the: data according to data source and type, and determines the necessary routing path that is to be used for the different data types. -does not dcTive, process or create new data i1om this data set.

(TSi/Sl//NF) Except for the other si tl.cant issues in

vider issue identified in Section ILB.6, NSA identified no of the BR FISA metadata.

2. (W/FOUO}

(TS//S!f/NF) NSA's corporate file fonvardi.n.g service, provides for distribution the BR FISA metadata from the collection source to the analytic repositories. It accepts files from sources and transports those files to the end destinations identified in the filenarne given to the file by the source system.

TO US/\, FVEY) The l'PA/P!A framework providml a way for the Agency to assess r:ompliant.e risk. This thimework \Vas not used to SUJY~rnede any Court-derived requirement~. Both the IPA and PlA 1emplate!i were based on Department of Delcnse (DoD), DoJ or Homeland Security Privacy Assessml?-nt frameworks and then. adju.r;ted for the SIGfNT environment. V/bilc IP As and Pl. As are n<Jt required for the lntdligence Community, they provided a sound me1hodology for the sye.tems engineering end-to-end

11 ' (C//R.EL

re:vie'.v.

TCJFl S I.:.CI~ LTi!C()i\.'1 f\!f'!/ORC'C)NiNOFORN

20

31 August 2009 Production

. con f'" ' '1 OVi'S an d- sys.em t ts tgureo l o a11 ov. dr:lla1 accesses by technicai personnel to be monitored and. logged. The system has security controls that are documented across rnuHip1c SSPs. ernploys security access controls, such as P10, to veri f); users and their system ac.cess and likewise employs tile transfer controls20 to verity file transfer access, file source and file
.. IC'.) ( 'T'e!,/IQ1' JJ. i''I\ ,,r
L) . . . .

destination. '"fhe

system also employs a stringent configuration

management methodology such that software changes cannot be impk:rncnted \Vithout the required testing and approval.
3. (U//FOUO)(TS//SI/INF)-, NSA 's corporate contact chaining from multiple scrurces. rt uccepts tht; BR FISA metadata files from stores the raw metadata in a separate reaJm, performs data quality, preparation and sorting

functions; and then summarizes contacts represented in the processed d a t a . stores the resulting contact chains and provides analysts with access to these contact
chains.

(TS/iSII/NF) T h e - portion oftbe end-to-end review demonstrated that the ing the neces~ary protection ofthe BR F!.SA metadata v,rhile it is in dotmtin given the added protection provided by the implementation of the . removal ofthe system level certif]cate..s.- has always employed other access controls, system security and confi.guration management practices for ensuring appropriate protection of the BR FISA mctadata residing in its database and accessed by authorized analysts. They include, but are not limited to, a fully certified and accredited system under a System Security Plan and effective use of corporate
system is now authentication and authorization service. (TS//SI//NF) As stated earlier, NSA instafled the EAR on 20 .February 2009 in response 21 to a complia..'1ce issue previously reported to the Court. Prior to the EAR, NSA \vas relying on analytic due diligence to q u t . ' T y - \Vith only RAS-approved selectors. The EAR, via internal soflware system controls., now ensures that manua.l contact chaining is restricted to only those seeds that have been RAS-approved by the C~ourt by preventing a nonRAS~ . ved selector from being used as a seed f()r condLJcting cnll chaining ofthe BR FISA metadaia in t h e repository. In adc1it1on, NSA removed the system level '..;;ertiilcate that had been used by

automated tools to access the BR FiSA meta.data. ln so doing, NSA disabled all autornated querying of the BR FISA metadata. i\ccess to the BR FIS,LI, meta.data chaining in.fcrrmation i n - is strictly controlled via individual user access
authentication/permission and this access is logged in accordance with the current BR F!SA Court Order.

li

(U/iFO'UO) See DIRNSA Supplt:-ment<lt Dedara.ticm da(ed 25 February 2009.

21

31 August 2009 Production

(TS//S U/NF) The implementa:t[on of the EAR had an unintentional adve..-rse impact on th~.;~ technical support mission ofNSA's BR FISAauthorized data in analysts. Prior to the addition of the EAR, these analysts frequently queried Contact

Chaining Database for the limited purpose ofverif)ring their parsing rules(~\ m.;;th<rd

!~w

data into standardized data fle1ds). Analysts cornposed these rules for BR FISA metadata to detennine 1-vhether the system output represented accurate connections between cornmunicants. In so doing, the data integrity analysts q u e r i e d - using both RAS and non-RAS-approvcd sekctorsj as they were authorized to do. This type of querying is especially important when a new data fcHmat is received fiom one of the providers. Once the EAR was put in place, these analysts cou1d only query the database using a RP~S-approved selector. This diminishes their ability to test and evaluate their parsing rules. NSA is finaliz.ing testing of a technical solution to create an EAR-bypass capability so !ely for the data integrity tcarn. The existing impaired ability of the data integrity analysts is assessee! as a system performance vulnerability, as H ccmld result in improperly fi:Jmwtted data.

(TS/SI/!NF) While the EAR restricts the ability to query the-Contact Chaining Database to only RAS~a.pprovcd seeds, there is no similar technic::tl restriction to prevent a BR FlSA~authorized analyst from chaining beyond the Court-mandated three hops hom a RAS-approved selector. NSA is finalizing testing of a software modification to provide this contact-chaining hop restriction. In the meantime; training and management oversight ensure that contact chaining i.s executed in accordance \.Vith the: Court Order.
(TS//Sl/NF) The end-to-end review also identified the fact th incorporated a d(~fcat list including BR F1SA-derivcd selectors to manage data ingest umes rnore effecUvely. The inclusion ofBR FlSA-dc:ri-..ed selectors on this list is described more 1ul!y in Section H.B.2.

4. (tl//FOUO) MRG System Transaction Database


(TS//SU/NF) is used bv authorized BR FISA analysts 10 view detailed dati.l about speci calling events. As Contac.;t Chaining Databas<.:: only contains summaries of one-hop chains selector 1 r,vas in

the-

-N

'thin a

(TS//SI//NF) The end-to-end revie"v revealed an area of co-nc-ern resulting from the fact that queries witl1in the had not been audited, as described in Section IL .. J. su audits showed no indication of unauthorized access to the or of any improper querying of t h e -

TO I" Sf.'C'/\ FT'.,{'()f'v1JNT/:'()R(CiN.NOFCRN

22

31 August 2009 Production

.l (.)f:: SEt....~l~ r.:J/:;(.'()\1 r N'J . /;.'() ll (~CJ ~~ . ..:J\.l (.) r~f.) l{ N

(TS//S l//N F) The revie\V abo identified other systern weaknesses. First, insufficient documcntaticrn and configuration managcrnent (the ahiiity to track versions) exist to

ensure that no unauthorized or unintended changes can be made that would make the r<uc'-"~ non~co 'ant. although it is attached to the-net\vork., the is not afft)rded the additional protection z!f fireVitall although access to the database is strictly controlled. Third, the; is nnt protected by the EAR, thus there are no measures m ace to prevent a BR FlSA-approved analyst from querying the
metadata using a non~RAS~approved selector or one that is not within two hops of a
RAS~

improper manua1 queries ofmetadatausing non-Court-approved selectors, NSA has provided analysts and is conducti audits of queries. see a pop-up

g to author.i .t\dditiona!ly, analysts using \Vindow reminding them to use only RAS-appro chainjng to the Court-approved number of bops.

(TS//Sl//NF) NSA is preparing to incorporate into thr; NSA corporate architecture. This transition to the corporate engineering fh1mework vdll maximize usc of the latest technologies and proven contigtrmtion m.anagement to minimize aiJY security mKi comptiance risks. fn the interim, NSA is addrcssin.g these vu"Jnembiiities through improved training., competency testing and increased management oversight.

5. (tri/FOOO) Tek:phouy Activity D:tection (Alerting) Process (TS//SI//NF) The Act1vity Detection (Alerting) Process identified \,vhen a selector on tl1e Activity Detection List vvas in contact Vi'ith an incoming number in a gt>/eri day's BR metac.b.ta when that contact originated or terminated in the U.S. This noti f!cation, in tum, aHovled analysts to prioritize their foHow-on analysis. lfthe RAS standard v,;as met on the selector, the system pcl'fonned autom.atL'C! contact chaining in the BR FlSA metadata
archive to identify and track t<:uorist operatives and their support networks both in the U.S. and abroad. If not, a notif-ication -...vas made to NSA personnel so that they could determine whether to attempt to satisfy the R..A..S standard, \:vhich would then allo\.V such contw.:~t chaining to take place manually. (TS//S!//NF) As noted 'in Section H.A.1., the Activity Detection List consisted of

telephony selectors - - t h a t had been RAS e'valuated as \li-'e]j as selectors that had never bee11 RAS evaluated- The oriE:,rinal Activity Detection List v1as built frorn two sources; one vvas called the ''Addrc:-ss Database," vv'hich v,as a master target database oft~;reign and domestic telephone identif!ers that were of current fore.ign intelligence interest to counterterrorism personneL The second sourc.e \Nas which was and continues to be a cb.tah:::tseNSA uses as a selection rnanagement sys1em to manage and task identi'fiers tor SIGINT collection. One ofthe features o - is that it is enriched vvith correlations oftelepbon.v identifiers associated V>'ith numbers . enncnment -' . enao ' Jcu .. .-! ny ' .' . a 1 Nl-system.. ~, tas k ,cd toth c , 1.. ! ms IS w llJCi1JS SJ."('

23

31 August 2009 Production

l C!P SH..'RE!"iiC()I\1[N'i'i/ORC:C\NiNOFORN

database used to store CO!Te1ations betv.cen selectors

tl:H:: result of the compliance issue previously reported to the FISC22 and as described in Section ILA. 1 of th1s report. NSA shut dmvn the Activity Detection Process entirely on 24 January 2009 as a corrective measure. (Of note, under the prior implementation bcfc>re contact chaining could take place in the co-mplete body o-f archived metadata and be'f(m:) any results of such analysis Vi' ere disseminated, the alerting selector had to satisfy the RAS standard and be approved explicitly as having done so.) This process was thoroughly examined in the course ofthe end-to-end review and consequently a revised implementation, as described in Section V .A., has been proposed should the Court approve resumption of regular access.

(TS//Sl//NF) The Telep-hony Activity Detection Process is no1 currently operational as

6, (TS//SII/NF) RAS Approval Process


(TS//SI//NF) The RAS ApprovaJ Process is the mechanism by which an analyst must be able to articulate some fact or set of facts that causes him or her to suspect in of the totality of the circumstances that a particular number is associated \Vith or associated terro-rist organizaticms before he or sbe may use a telephone electronic 1dentitler as a seed to query the BR FrSA metadata,

(TS///Sl//NF) The RAS Approval Process in place until 2 March 2009 (the date of the FISC Order) incorporated a combination of documented guidance a1"1d weJJ-understood procedures as outlined in the OGC RAS Memo and the analytic office's RAS Working Aid. During the three years that DoJ has reviev,:ed NSA RAS approvals, no spot check has revealed a faulty RAS approval decision.

7. (TS//SI!/NF) BR FISA An.aJytk Tools and Proceses

{TSI/Sii/NF) The BR FIS.A Tools \Vere designed to analyze the raw BR FISA metadata as well as the output of anaiytics such a s - contact chaining. Analysts us~:d these
tools ngainst the BR Fl'SA metadata and chaining results to identify possible tcnorist

communications into, fhHn

an~!

within the US.

(TS//Sl//NF) Tv.o instances of concern relatQd to the analytic too1s and processe:s used by

the BR FlSA-authorized intelligence analysts were identified through the end-to-end


review and <:lTC described in Sections II.A.2. and H.B.3. These tools and processes) which '~'iere designed to f\.mction against both the BR FlSA metadata and other ca.tegoties of telephony metadata that NSA acquires through SIGINT operations authorized under the general provisions of EO J 2333, \Vere used primarily by analysts within NSA 's O:ffice of Counic:rterrorism to identify possible terrorist connections into, fl:om, and vvithin the UB,, as \Veli as foreign~to~:fhre-ign communications, 'I\vclve of the 19 analytic !ools examined
17

(Ui/FOUO) See DJH.NSA Declarsti.on daled ! 3 Fe.i)mOI!J' 2009

24

31 August 2009

Produ~tion

\t.'ere developed und systems architecture and are weU~documented, configuration-control ed audited. 'T'he other seven BR FISA analytic too1.:; examined \'VCIT developed in whole or in part by engineers working in the Counterterrm"isrn

Organization to meet constantly changing mission requirements; resulting in limited configuration cmd change management control. All 8even of these tools were either monitored through existing O&C audits or \Vere subjected to new audits and/or revie,,.s
as part ofthe end~to-end review. \Vith the exception

- a n d G UI, none of these tools are currently able to access the BR FISA
metadata_ (TS//Sl//NF) To mitigate risk in the future, NSA will transition the BR FISA analytic tools and processes to the corporate NSA enterprise arch1tect1Jre and will no longer develop tools within the Ofl'ice of Counterterrorism. Complete end-to-end testing will be conducted for all tools against a standard set of B R FISA requirements to ensure they are fully compliant prior to resumption of automated operations if authorized by the Court. 8. (U//FOUO) Analyst Decision. n.nd Reportrn.g Process {TS//SI/!NF) The Analyst Decision and Reporting Process encompasses the target knO\:vledge, guidelines and procedures that enable intelligence analysts to determine what information meets customer rcauirements. It also invoives the evaluation and ' minimization procedures intelligence analysts employ v-.rheo analyzing data and drafting and dissem.inating reports.

(TSi/SI//J'-~F) Prior to ihe alert list shutdm~m on 2.4 January 2009, the BR FISA analyst decision and reporting vvork flow began when an HSAC analyst \Vas notified of a match

betvveen a kn.own selector of counterterrorism interest and an identifier in the ingested BR FISA metadata, \Vhen an analyst received cui RFI from a customer, or when an analyst \.vas continuing ana1ysis on an existing target set. Aside from the activity detection list; the process remains the same today on selectors that are specifically approved in accordance with the Court 1s Orders. IfNSA has reason to believe the
infbrmation constitutes valid threat-related activity, NSA applies i..JSSID 18 to minimize

inJ(mnation C()nceming U.S. persons and then reports the ini:Cmna.tion to the FBI, CEA,
NCTC and ODNI, and other customers, as appropriate.

(TS//Si//NF) NSA reviewed its anaiytic 1-vorkflcnv to ensure the BP, FISA metadata was appropriately handled, analyzed and disseminated. Three ne'l-v areas of concem, discussed
in Sect1on H.B, were identined with the BR FISA /\nalysis Deeision an_d Reporting 1 ,. D j, , ' . . \.vas prevwusly , . clescn"h1ClL ..! /\ ano ' . ! rocess m ad c 1t1on to t hat vmwh to the Courr- (jJScussea m Section II.A.

:i (UiiFOUOj See Supplemental DIRNSA Declaration chlicd 25 February 2009, at 8, Sec.tion 2 (Inappropriate analyst qw;!rying).

r01) S[CRETrCCIMlN\""'!ORC'ON/N\.)FORN

25

31 August 2009 Production

(TS//SI!/NF) As a by-product of the emHo~end review, NSA has updated the interim analytic BR FISA Standa.rd Operating Procedures (SOP) to ensure compliance with the current Court Orders and is coordinating this document with [)oj as required by the

Court. This SOP outlines step-by~step instmctions for the rmthorized intelligence analysts
in handling the BR FISA metaduta; describes the procedures used to control access to the

13R Fl.SA metadata; provides the steps used to conduct weekly audits ofthe analysts' quedes and tools; and details the methodology used to query the BR FISA metadata
under newly established Imminent Threat C()ncept of Operations guidelines. NSA will continue to maintain the SOP and CONOP as "living documents" a.nd update them as needed. (TS//SU/NF) NSA also continues to maintain and regularly update an 11-step comprehensive checklist that outlines both the Homeland Mission Coordinator and analyst responsibilities in the BR FISA metadata analys1s and repo-1ting process. The checklist is comprtsed dover 30 components that rc:quire analysts to anS\ii-'Cr a variety of questicms, including whether the proposed report falls \vi thin the scope of 3R FISA authorities and express OGC guidelines; \vhether NSA attempted to get additional inf(mnation about the selector fiom the FBI and CIA intcgrces at NSA; and whether cellu.lar identifiers were checked to determine if the user had roamed into another country, The checklist also reminds analysts to detail the infmmation/intelligence source(s) that prompted the report's production. (TS//SI//NF) 1n addition, NSA has in place a cornbination of web pages and on-line aids dedicated to t:11d~product reporting and dissemination guida.'1ce. These detailed working aids, together vvith required USSID I 8 training for ali BR FISA-approved intelligence analysts, require that any NSA BR FlSA~based reporting that contains U.S. person information follow NS.A 's standard minimization procedures f(mnd in USSID 18 and the Court Order.

(TS//Si//NF} NSA has well~documented and long-standing minimization procedures for ensuring protectil1n of U.S. persons' information in SJGJ.NT analysis and repotting under all SJGlNT auth01ities, to include the FISA Order. NSA 's mmnal regime of compliance oversight :iur handling tbe BR FlSA is a comprehensive, multi-pronged approach involving DoJ and NSA's OGC, O&C, Office nfthe tnspector Gencrai and SID. Cunently, NSA is required to c.onsult \Vith DoJ on all signitl.cant legal opinions invo1ving BR FISA metada.ta handling. DoJ meets ',:vith the appropriate NSA representatives at least once every renewal period to review the program. Prior to the 2 March Court Order that the F!SC make ali RAS detenninations, DoJ also conducted "spot checks" to review a sampling ofjustificat1ons (RAS detennina..tions) for querying the metada.ta. NSA, in turn, provides internal ove-rsight to the BR FISA program by a variety of oversight controls and compliance mechanisms to prevent, dete-ct., correct and report incidents and violations of the procedures, to include technical, physical and m~magerial safeguards such as: exarnining samples of ca.U-de:tatl records to ensure NSA. is receiving onty compliant data; ensuring analysts are trained in the querying, dissemination and storage

TOP Sr::\'F~ F"T"i/C'Oi\.llN f/iClRCON/NOFOr< N

26

31 August 2009 Production

restrictions tbr the metadata; monitoring analytic access to the metadata; auditing queries on a 1veek!y basis by O&C; monitoring audit functknaiity; re-vie'.ving the BR FISA rmv database repositories; and examining the list of RAS~approved. selectors.

(TS//Sli/NF) In light ofthe compliance issues that surfaced specific to the handling ofthe BR FrSA metadata, NSA reviewed its minimization procedures as \Vell as its oversight procedures, to include auditing, documentation, and training, to identify areas tor potential improvement. All were identified as CJreas for enhancement to ensure thai per:..;:on.nei handiing the BR FlSA metadata are awa1e of and compliant with the Court Orders goveming its use and dissemination.

A (l''\ i;

1\.'i'

rnHU.fiHZ1!11.H}li

.....

(TS//Sl//NF) Every NSA intelligence analyst is required to complete training and pa.ss a test on US SID 18 minimization procedures every two years as a pre-requisite for access to umninimized/unevalw1ted SIG!NT data. Additionally, inte:Uigence analysts must receive ~ ..n (X!C comphance brieflng and on-the-job training (OJT) regarding their responsibilities for handling metadata containing U.S. person infonnation prior to being granted access to the B.R FlSA metadata. They also have on-line acce~~s to detailed working aids including required minimization procedures. NSA wiU continue to emphasize the critical irnporta.noe of applying USS!D l8 and the Court Order requirements as they relate to the handling and dissemination of BR FISA.

B. (0) Oversight 1, (U//FOUO) Oversight AudiHng lVtechanisms


(TS//Sl//NF) NSA assessed requirenv~nts for auditing of systems, tools, processes and analyst queries to ensure the proper compliance procedures were in place. A total of 13 audits related to BR FISA metadata aecess and querying were conducted either as the result of standinu the end-to-end ... reauirements or in response to issues identified throu!!h .._, reviev.r. Descriptions of n:'Sultan.t .. anomalies are captured in Section TL
~

(TS//Sl//N.F) NSA audits samples of quertcs ccm,ducted by BR HSA-authorized intelligence anal and data integrity analysts in on a weekly basis. As a result a review of oversight

processes, O&C creatr;.,'d a dedicated senior intelligenc.e analyst posi.tion to auditing of BR FISA mctadata qw;:ries.
2. (li//FOLJO) Oversight Documentation and Procedures

t~nhance

(TS//S U/NF) Oversight documentation and procedures governing BR FISA metadata handling ccmsists of a set of SOPs that have been reviewed and revalidated, They are as

follows:

"i"C)P

sr.:cn F;f'ico:vf!Nr i.!ORCON/NOFORN 31 August 2009 Production

27

T<JJ-' SL('RF'l iCOMih'liORC()i\,iN\JFORN


~;~

""Access": This SOP outlines the procedures for gaining and maintaining
access to the BR flSA mdadata in a way that is compliant '"''ith the BR

i!ll

FISA Court Order. ""BR FISA Audit Procedures~': This document outlines the ,..,.,..,."""" used to audit BR FISA anal queries
compliance Notmc.ation'': This document addresses the procedures to be t(>llowed 'Nhen compliance issues are noted.
'"Do.} and OGC Spat Checks 1': This SOP addresses the procedures to b~

fll

<1l

~~~

folknved for the required, regular DoJ andior OGC spot checks. "'Oversight'': This document outlines the roles and responsibilities of the DoJ, the NSA Director, the OGC, O&C, the Inspector G e n e r a i , and those Counterterrorism Organization analysts BR FiSA meUtdata access.

3. (U) Oversight Training

(TS!/Sl//NP) NSA's Associate Directorate of Education and Training (ADET) had already been working ;vith O&C and OGC to redesign the required training for accessing BR FISA metadata to better enforce appropriate handiing of this data and to introduce competency testing as part of the O&C curriculum. The curriculum will be administered on-line to allow students 24/7 access to the course material. (TS//Sri/NF) The redesigned BR F!SA portion of the training package addresses the knowledge and procedural components of handling BR FISA data, and nO'iM requires the an.alyst to read the most current Court Order and the OGC i.nstmctions, and i.n the future wiU require them to view an OGC video briefing about the BR FISA program and complete the follov,:ing six lesson tutorials: 1, "Overvie\V of the Reasonable Articulable Suspicion standard," as covered in OGC instructions 2. '"Summm)' ofthc RAS standard," to a.id NSA analysts in prepaJing RAS j ustificat1ons 3.. ~'Asso.ciation \.Vith to identify ho\V associations are established in order to q a target fix RAS justit1cation 4. "First Amendment Considerations," to identify Hmitations and
considerations when targeti.ng U.S. persons r,vithin BR FiSA data

5. "Sources of iniixmation," to identify the supporting irlflxmation used to justify tbe RAS detennination 6. "'The BR FISC Order," which explains the content of the BR FTSA Orders

(T'S//SI//1'-JF) A compo..1ter-based competency examination \vil.l be administered upon completion of this training and remediation will be provided J()r missed questions. Once an analyst has demonstrated the neeessary knowledge by su.ccesstuHy passing the exam, he or she -vvill complete formalized orr before O&C grants acc:ess to the data.

"J'CiP SJ.:('I\ l:i"!/CClfv1JNT.'i0R("ClN/NC)F()]{\1

28

31 August 2009 Production

' ' teredb y an expenencen . I'.T"1(' (.'l'S'"'"")"''F'll 1 //':i // 1'! } ! 1c (")r- . J i componen! 1!las mways been a(1. mrms nh- ..
L

or senior analyst experienced in conducting orr. This training specit1cal1y addresses how analysts are permitted lOuse the BR FlSA mctadata, reinfnrces the unique privacy

concerns and handling requirements ofthis data, and demonstrates the various tools that
can be used to query the BR FISr\ metada!a. In addition; each HMC and authorized intelligence analyst is required to sign a user agreement, documenting that he or she has read and understands the obligations associated with handling the BR mctadata. (TS//Sl//NF) NSA has aho begun to provide tailored briefings to all technical persotlncl that have been granted access to the BR FISA metadata. 11-1e tailored briefmgs outline the categories of data obtained under the BR FISA Court Order Emd the restrictions associated \li.tith the technical personnel's duties. For example, the briefings make it clear that the Collection rvlanagers and System Administrators are not authorized to query the BR FISA metadata for i{m:ign intelligence purposes. The briefing also nutlines the correct offices to contact if the technical pen;onnel see possible con1pliance issues in the course of their duties. (TS//Sl//NF) As part ofthe BR FISA training redesign, complete training records 1vill be maintained by ADET for each individuaL Tbe documentation will i.nclude the test score, a.I1.:F)j)C!"S to individual test questions, and peri:onnance feedback from the OJT COmponent. This documentation \l\'ill aHo,.v for tracking of access t.o the BR data on an irrdivjdua!
baSiS.

(TS//Sl//N F) Using principles of system engineering, eon figuration management and access control, NSA has considered the future implementation ofthe BR FISA program including the automated activity detection proc:es..c; to be used should the Court authorize NSA to resume regular acr:.ess to the BR FJSA metadata..

A. (t.J//FOtJO) Future BR FlSA Activity Detection (Aterting) Process


(TS//Sl//}\lF) NSA.. could resurne automated activity detection in a fuHy compliant manner should the Court approve. NSA \Nould maintain an Activity Detection (alert} Li8t containing on~).' RAS~approved selectors. Only the RAS-approved selectors on this "BR identifier List" would be compared to the BR FrSA metad.ata. \"/ith Court approval to resurne automated querying, NSA \Vill \.VOd< v,ritb NSD/DoJ to ensure the BR Identifier List \:1.1i.ll he popi:t!ated \Vith only those selectors that the Court has authorized. Should the Comt grant NSA RAS decision atLthority, NSA would begin to augwent tl1e BR identifier List vdth additional identifiers that NSA appnYves as having satisfied the RAS standard~ using the improved processes and. training identified in this document.

It (V) Futlilre of Overarching Archttectu:re

TC)rl SEC'RF'I.i!CO!'AiN.T/iORCCJNiNCIFORN

29

31 August 2009 Production

(TS//SV/NF) in the future, should the C.ourt authorize NSA to resume regular access to the BR FISA metada.ta~ NSA \Vii! migrate the datnf1ow and Hfe cycle managernent of the BR FrSA metadata to its next generation system architecture vvhich offers more effective and eftic1ent tnanagcment and control. This architecture is designed to be Hexib1e enough io adapt to changes in th<.~ legal and oversight requirements. while confonning to applicable governing authorizations such as EO 12333 and BR FlSA. (U//FOUO) In the future architecture, the end~to-end BR FISA datat1ow will be referred to as a system "thread.'' As such, NSA would manage the entire capability via a "Thread Engineering Team" to guide the requirements development, systems integration, use-case development, testing/validation and pl~uw.ing fi.w current and. future enhanc.ements. T'hread engineers would meet with repre~;entatives from the OGC and O&C to define and validate requirements ptior to development. System-\vide configuration management would be implemented to- log the expected soth;.,'are builds and patches. Such practices exist nov11, but there is no thread focused on the Business Records process. (TS//SI//NF) The proposed systems supporting BR FISA dataflow and life cycle withi11 the next generat[on architecture encompass both technical- and perscmnel-based strategies to ensure that data is accessed, retained and purged in fult compliance \Vit.h auth01ities granted to NSA by the FISC. Moreover, the implementation of centrali:i':cd proces3es and databases \;,'ill ensure that all aspects of the dataf1ow wiH continue to be tracked and audited to ft..rrther ensure that any non-compliance issues can be pron<ptly ident1tled and addressed. Plans 'f()r addressing key requirements for BR FISA metadata are as fotlows:

1. (ll//FOVO) Security I Access CantnJl


(TS//SI//NF) A nmv access control application ~.viii be applied to ali databases and systems supporting the B.R FlSA workt1ow. This application 'lll:ilJ validate the credentials ofuscrs to govern '"''hat systems they are approved to access, and validate that their required training is current. PKl, \Vhich offers security mea.<>u.res f(,r identification and authenticaticm, as well as for access control, and audit capability will be used to manage users '\~'ith access to the raw data or query results.

2. {iJ//FOlJO} lJ.at$ Sttmdan:!.ization


(TS//Sl//NF) A data standardiz:.ation platform will date-stmnp the incoming BR metadata and ensure its consistent and accurate structure. This wi'Jl allow quick and accurate claiebased purging once the Court-ordered time ti-ame has been reached.

3. (U//FOUO) Databasing RAS Sd.eetors


(fS//SI//NF) An updated and improved centralized target knovdedge: databa.se for storing telephony and emai 1 selectors has been under development since October 2008. This database 'IVill enable mvre efficient storage and retrieval of key information about eacb BR FISA telephony identitler such as its RAS status and the justification and OGC

30

31 August 2009 Production

'I\ 1P sr:c:Rr:Tii(:Gfvll NT/i()R('()i'<'NOFOR N

approval as appmpriate, for those that have been RAS-approvcd. 'These features are sdieduled for ccnnplction during the fourth quar';:er ofFY09.

4. (TS//Si) Analytical Processing and CaH Chaining

(TS//S li/NF) J\n enhanced can chaining function and data processing capability will support large volumes of automated algorithms, handle growing ing~st rates and deliver faster query responses. Additionally, the metadata Viill be stored using security tags, a measure \vhich can be used to restrict the visibility of individual entries in the database to personnel Vv'ith the appropriate access credentials.
5. (ll//FOUO) Auditing and l\iouJtoring

(U//FOUO) Enhm1ccd aud-iting \vi!! provide a means to track a clat:a user's activity patterns, the state of a user's operations, and the frequency and composition of quedes. A formal metrics and monitoring system will also he used to monitor the status of the end-to-end processing and will alert managernent and operations personnel when processing anomalies are detected.

vt fU) Condusion
(TS//SF/NF) As discussed above, NSA has thoroughly reviewed the technological systems, analytic Y..10rkHows and p-rocesses asso-ciated 1-v1th its implementation of the Bit FISA Court Orcler, and has introduced corrective measures to address specii'1c concerns and vulnerabilities. These new measures ;.vill ensure a balanced focus on technological so1utions and management ccmtrols. The end-to~end review also revealed areas for improvement which have been documented and wiU continue to he addressed. \\There changes \.Vere made impacting current manual operations, a combination of system

evaluations, demonstrations and audits provided confidence that the tec.hn1cal f1xes are
actually configured and operating as intended.

(TS//SI//NF) The rernedial actions described in this report are subject to ongoing im.provernent and vviil support strict adherence to the Court Order. Although no concc1ive measure is infallible, NSA has taken significant steps designed to eliminate the
possibility of any future compliance issues and to ensure that the mechanism.s are in place to detect and rt;~spond quickly if one \Vere to occur.

TOP

0[(:/~Ffi/C'Of\'ll\!T

iOHC.'ON/NOFOJ:ZN

31

31 August 2009 Production

-roP SE.CI( L.T/.'("0\AlNTii()R('C)NiNO-FOFU<

31 August 2009 Production

186

'I OP sr:cRETt('()\!llNT/i()RCONiNOFCIRN
amuu~hot&

of BR F!SA

Pn~cess

addressed in End-to-End Revie'\-V

ro P 5 LC' IZ E'T'!/CO:Vll N'T/iO l{ C'Of>J/i\'()F(i Ri'J 31 August 2009 Production

33

187

Figure 3: Comprment of BR FlSA P:rucess addressed in End-to-End Review

.J"O P SFCR E'T"//CO \'!iN T/'0 !<. (\) 0J iN() FCJ RN

34

31 August 2009 Production

'T"(1P S E( :R F. J.!.'(:C:HvHNTi/f.).RCON!NOFCJRN Figun: 4: Component of 8]{ FfSA Process addressed in End-to-End Revkw

35

31 August 2009 Production

'f<.) P Sf.:.(: lZ L~1 . . ...-(~(Jf\. tf t~r,... . . (JR.C~\J ~\:/~~() FCl 1\ N of BR FISA Process addressed ~n End-to-Em:! Revh.o-v"

.lf).P S ECF: .ETi/('0;\'f fNT//ORC'C)N/t'X)F()R N

36

31 August 2009 Production

190

.......
!C

-'/:

)> !"")

tn

Otl
!C

-o
"""'!

'-,.

,-.,

:;o
~..;

0
0..
!C

:~

.:.._.:
-y ,1.___

0
rl-

__::;; /.
f""-:

..

0 ::::J

\ ...../

...:-;
.....

;:::

2;.~

STATION Table
RAS Approved

cAa:~~~~i~~~ ;;~t.io
!

tlddress1'-.s

tM~;_;;~N;~~:iE

Nu, Seiector
Y~s,

rAG NOT HAS


1\pprovua

Cf~

""'1 ,.,, I'<'


r-">"1 ..

TAGRAS Approved

"1

rl'

---l
r'l

w _.
)>

0
~

e'
(l)

!J.; :.;
r~;

c
Otl

......
co

(f)

. ::::~.

:.~

""

"' ~~ ~ (\')
~

2 ,..,
<:l

: ........

.____,

f.,
:;_,

~")

,....,
:.

::;r

:::
~--

g
()
("'!

i-0

~ ;:G
~

-ott~

'

N ~: C> C> ':2..:


-i

;~

<+
nllll"

;.,.
~

f.tf.l

,.,; ..-.:.;
,..J
"''-.
:;.;~

..

"'! ""~ 0

-u 6 X """!
0

0..

:.._,.,,_;

r . ,....::::

.-+

t:i f'1l
ro

c
........
0
::::J 0

z
......
~

BRF
FISA-B

2.: --..
.....;'"!

~
0
'"'!
(';

!?

"' "" "" i'


"'I
~

-~?.::. ,

r---

..::~;-,_

__
~

.. ::.:
..... ;

........~
~J'i

-~

(,'l.,
P~

..-

"'a
(il

= ""
'

,.- ....

:;.:;:;
'2~~

-.... .)

,....:.

p.
::1

t].'l ""' 2:
!"'' .......

:;::
,

''-'

,__
~;!

"' ' ~':!

- .....:
~
"'._.l

1?':1
r.~..
f"'t-

...c~.

r"'..,. :;:r

Q
~
~

'

0,..

;:e
r;
~

<

(D

00

L>-'

~--~-- -------- - -~-

T!!lllplwny Activity Dei!H::tion Process

-- --- ~- ---- -- ----- --- 'i,~;?~:~7.:t~::~ci:!.if:2R::~~.h~,~!~;.,~~~;;H --------------- - ------ ~- ----- -------

(b)(1); (b)(3)

r () F S[('R FT '\X! f'vll NT'fiORC(}f'-1/"J OFCH\ N


Fi.gure 8: Component of BR FISA Process addres!>ed in .End-to-End Review

"RAS Approvalftocc~~:

Yt!5 ~ Mli! tJ)..\pprovofi

r--.. - . . -- -- - . . _
.1
1

fl\tldit:!S~

! 1
'

'
Y~s ~T~ as R.6.5 l>.p,.-oe~
~

!
~-

,,

.. ... _......... : ... ... .,....-....... __.._, .................


~

Af:ij.J!'i)VCd

' l

Apprwod STII'RON
Tall!~

RAS Approvaf Process

Corporate i----+-4'-'l'""
iltor~e

Sentk.es
'
~

..

~ ~ ~

..

'

Au~t~m&t~ Cha~ning

'----'>!<>

Am~ys$

Toois

(ACI<TS)

r- ........... - .. - .-....... - --- ____,.....)

. . --- ..-~ . .-"'--t

& Domestic)

.AJI terror;;[ relillBd oOd;es~es AQ a.'1Hiaii~~nm;:~yl10\ beklo.r.n

T0,0 SECRET //COMINT //ORCON//NOFORN//203201 08


39

31 August 2009 Production

(b)(1); (b)(3)

; \)f' Sf)_ 'RFf/i('Of\'l [ N r'iORCOf\JiNOFORN

Figure 9: Component of BR F!SA Process addressed in End-to-End Review "BR FlSA An:::tlvtk Tools and Processes"

40

31 August 2009 Production

(b)(1); (b)(3)

,------.....................- ..( , Telephony 1

,__,_._.,_., .. __,_.,,_,,,HH--------------------- . --------------- - H-

_:i:: ..-~.--:=.

!Activity Detection ' i !(Alerting) Proc~;ssj

I
,,.H__ ., ___________________ , ____ ........ .
.,

.. ~:~......________________
QC & Edits Request for
cme~time

Rfl &1'arge! Know!odge Porta!


---i _,.. ...
~

','I

._)

Portal
Reports

w :-: ;}
_a. :./;

Analyst Yes Rep011 Process (Anaytic Decision to

Checklist Used)

dissem. of US IDENT

-~

N 0 0
(0

;;::~~

..?..

.,.

.,
0

"1J

. .,_., ..

..::::

~ ..

;;..-:: ....._

0..

::-~:

0
~

;z:
"-'

7. _..._
-~~

Queries i Responses (NSf\ Personnel)

Coordinate) Edit & Release


ResponGes

(FBI, CIA. NC'fC


Personnel)

0
::II

....:..:

;;:::i

!BRfiSA 1Anal:yst Decision &

Report to FBI/ CIA/ ODNI/

j~~e~-~!-~~--~~~~~-~~--- . ---------'"-"-------------------------.. . . . . - - - - -

NCTC
.. -. ...... i.

(b)(1); (b)(3)

Appendix: ACAT Activity Detection List

G~os!<;a:ry

uf '"ferms

See Autornated Chaining and A.na(vsis Tool

and GU! A list ofthre~gn and domestic telephone selectors believed to be associated v.rith
terrorist targets. The Activity Detection List is independent of the Staticm Table. Fonner1y ca.lled the Alert List, this Hst is nov/ more commonly refened to as the Activity Detection List in order to be more

Automated Cbaining and Analysis Tool I i> ('AT) ar.-d ('"lll ..._r .. v\ .. ;-..

Components

The core systems processes Identified as part of the BR F!SA metadata woTkflow against which JP As and PIAs were conducted.

Configuration Management

The process oftmcking, controlling and documenting changes in softvn.l.re applications; including revision contro-l and
establi baselines. f.._ database containing list of identifiers \Vhich, based on an analytic judgment, should not be tasked by the SfGINT

Defeat List
is.

elk~\~' are-

measure \Vlitten int'o on 20

TOP SEtJ{ [Tf'C()f\1\NT'//ORC:DN/NC)FORl\

31 August 2009 Production

(b)(1); (b)(3)

rop SEC.RF . f.//('()iv'll N'L'/(!R CON/NGFC)R N


feb-ruary 2009 to prevent a non-RA.S approled selector from being used for a ofthe BR F!SA metadata. chain

Global System i()r rviobile Communication.'l

a system or process wh1ch inctudt::.-s a standard set of questions used to determine, among other things, '.Vhether the system or process under review interact<;
\vitb data that coul.d contain information about U.S.

, or ex_amp e, inf(1J'mation about a telephone ca.H~ to include the calling and cal.led numbers, time of can, etc. Metadata does not include
C(mtent

111e repository for individual BR FlSA metadata call records f(1r access by authorized Homeland Seculity Analysis Center . AC and data i

-J (lP SLC'RF.!Ii('())Vl.! ~Hit()R('ON/NOFOR N

43

31 August 2009 Production

(b)(1); (b)(3)

to vie\v detailed inDJrrnation about specific

Parsing Rules

A sclcc.bon management system used to mc:mage and task selectors, such as telephone numbers, !MEls, and I.MSls, to many different information collection \vorldwide. A method for separating data into standardized data fields.

Public Key lnJrastmcturc (PKJ)

An information assurfuJ.ce service that supports digital sit,:rnatUJ-es and other


1

public-key based security mechanisms, and offers security measures such as

identit!catio-n and authentication, accr:..'Ss


Pr-ivacy Impact Assessment (PIA) control and audit :A ' dept h, stanaarcuzed ' ,. . rev1ew . or .t.' . n mprivacy concerns for a particuJar system or

Requirements

The tem&s contained in the governing BR


F1SA metadata documents that must be satisfied as the end-to-end workflow. The process of dis&ruising intelligence to protect sensitive collection ;>ources~. methods, capabiWies or analytic ; procedures in C}rder to disseminate to customers at a das:sification level they can use. A. n initial selector used to generate a chain

Sanitize

Seed
Se-lector

could be

by HMCs to conduct
BR FIS.A mctadata

-[o 1 SL::C Fi. r::T//("() M I~.; Ti!C.1 RCC) NiNO FOR N


31 August 2009 Production

44

(b)(1); (b)(3)

rei f) S.E:'CRF1'/.(:()f'vl !N J '/ORCOh!/NOFC)Rt-\


' a.J";d provide the results to the team. HMCs only used RAS-approvcd selectors when using this tool. T h e - t~:.~am

ultin1atd

vided the results to NSA's

Standard Operating Procedure (SOP) Station Table

Institutionalized documentation describing of1icial and Historic reference of all telephony selectors

that have been assessed for R_,Ll.S - and


their associated RAS deterrnination (RAS Approved or Not RAS Approved) - since the BR FlSA Order '.vas first signed on 24 2006. The logical and physical brcakdowrL.'> ofthe

Sub-components

BR FISA n1etadata vvorktlow components


that perfo-rmed specific activities and/or functions. An analytic query tcoi used to seek out additional infonnation on telephony

selectors f r o m - and other knowledge bases and reporting

I System
I

Security Plan (SSP)

I
J

..~,. ~ "1 nnptemcnteo protecuon measures wr t 1e


t

Fom1al documc1.1t describing the


I .

Telephony Activity Detection (Aler:..Cing)

Process

. secure . 'on of a com . The process used to notify NS;\ analysts if there was a contact betvveen a fbreign

identi-fier associated with


and

31 August 2009 Production

199

(b)(1); (b)(3)

1'he q~ery iool v,rhich indicates whether a


telephony selector is present in NSA data
repositories~

the total number of unique

contacts, tota! number of caU.s, &!d ''first heard" and "last heard'' inkmnation for the
se1ector.

TOP SEC'RE' f'iiC'Of'v1 l NT/.{}RC'ON /N OFO R J\1

46

31 August 2009 Production

(b)(1); (b)(3)

U.S. Department of Justice


National Security Division

Assistant Attorney Ge11eraf

Washington, D.C. 20530

TOP SECRET//COMINT//NOFORN

31 AUGUST 2009 PRODUCTION

201

(b)(1); (b)(3)
:-:"c:-::-,-:::.-

TOP SECRET//COMINT//NOFORN

202

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted.
TOP SECRET//COMINT//NOFORN UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, D.C.

IN RE APPLICATION OF THE FEDERAL BUREAU OF INVESTIGATION FOR AN ORDER REQUIRING THE PRODUCTION OF TANGIBLE THINGS FROM

111111

Docket Number: BR:

PRIMARY ORDER

A verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.),

1861, as amended,

requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration

TOP SECRET//COMINT//NOFORN Derived from: Pleadings in the above-captioned docket Declassify on: 1 September 2034

TOP SECRET//COMINT//NOFORN having been given to the matters finds as follows: 1. There are reasonable grounds to believe that the set forth therein, the Court

tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, which investigations are not being conducted solely upon the basis of activities protected by the First Amendment to the Constitution of the United States. 2. [50 U.S.C.

1861 (c) (1)]

The tangible things sought could be obtained with a

subpoena duces tecum issued by a court of the United States in aid of a grand jury investigation or with any other order issued by a court of the United States directing the production of records or tangible things. 3. [50 U.S.C.

1861 (c) (2) (D)]

The application includes an enumeration of the

minimization procedures the government proposes to follow with regard to the tangible things sought. Such procedures are similar to the minimization procedures approved and adopted as binding by the order of this Court in Docket Number BR 09-09 and its predecessors. [50 U.S.C.

1861(c) (l)]

Accordingly, the Court finds that the application of the United States to obtain the tangible things, as described below, TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN satisfies the requirements of the Act and, therefore, IT IS HEREBY ORDERED, pursuant to the authority conferred on this Court by the Act, that the application is GRANTED, and it is FURTHER ORDERED, as follows:
( 1) A.

shall

produce to NSA upon service of the appropriate secondary order, and continue production on an ongoing daily basis thereafter for the duration of this order, unless otherwise ordered by the Court, an electronic copy of the following tangible things: call detail records or "telephony metadata" 1 created by all

1111111111

In addition, the Custodian of Records of

111111

shall

produce to NSA upon service of the appropriate Secondary Order an electronic copy of the same tangible things created by

111111

for the period from 5:11 p.m. on July 9, 2009, to the date of this Order, to the extent those records still exist.

For purposes of this Order "telephony metadata" includes comprehensive communications routing information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. 2510(8), or the name, address, or financial information of a subscriber or customer. TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN B. The Custodian of Records of

produce to NSA upon service secondary order, and continue production on an ongoing daily basis thereafter for the duration of this order, unless otherwise ordered by the Court, an electronic copy of the following tangible things: all call detail records or for communications (i)

"telephony metadata" created by -

between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.

(2)

With respect to any information the FBI receives as a

result of this Order (information that is passed or "tipped" to it by NSA), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General's Guidelines for Domestic FBI Operations (September 29, 2008). (3) With respect to the information that NSA receives as a

result of this Order, NSA shall strictly adhere to the following minimization procedures:

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN A. The government is hereby prohibited from accessing

business record metadata acquired pursuant to this Court's orders in the above-captioned docket and its predecessors ("BR metadata") for any purpose except as described herein. Notwithstanding the requirements set forth below, Executive Branch personnel may be permitted access to the BR metadata and information derived therefrom in order to facilitate their lawful oversight functions, which include, but are not limited to, those set forth below. B. The BR metadata may be accessed for the purposes of

ensuring data integrity and developing and testing any technological measures designed to enable the NSA to comply with the Court's orders. Access to the BR metadata for such purposes

shall be limited to the NSA Collection Managers, Data Integrity Analysts, and System Administrators described in paragraph 16 of the Declaration of

111111,

Chief, Special FISA Oversight

and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency, filed as Exhibit A to the Application in the above-captioned docket Declaration").

(111111

Additional individuals directly involved in

developing and testing technologies to be used with the BR metadata may be granted access to the BR metadata, provided such access is approved by NSA's Office of General Counsel (OGC) on a TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN

case-by-case basis.

Except as provided in paragraph (3)J,

persons who query the BR metadata pursuant to this paragraph may only share the results of any such query with other speciallycleared NSA technical personnel. Queries performed by the

persons described in this paragraph shall not be subject to the approval process and standard set forth in paragraph (3)C below. To the extent NSA personnel make copies of the BR metadata for purposes of ensuring data integrity or developing and testing technological measures, such copies shall be destroyed upon the completion of their work. C. Subject to the restrictions and procedures below,

the BR metadata may be accessed for purposes of obtaining foreign intelligence information through contact chaining ("queries") using telephone identifiers, 2 as described in the paragraphs 8-13. (i) Except as provided in subparagraph (ii) below,

111111

Declaration at

all telephone identifiers to be used for queries shall be approved by one of the following designated approving

TOP SECRET//COMINT//NOFORN 6

TOP SECRET//COMINT//NOFORN officials: the Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate; the Chief or Deputy Chief, Homeland Security Analysis Center; or one of the twenty specially-authorized Homeland Mission Coordinators in the Analysis and Production Directorate of the Signals Intelligence Directorate. Such approval shall be given only after the

designated approving official has determined that based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable, articulable suspicion that the telephone identifier to be queried is associated with

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN
4

provided, however, that NSA's OGC shall first determine that any telephone identifier reasonably believed to be used by a United States (U.S.) person is not regarded as associated with

solely on the basis of activities that are protected by the First Amendment to the

intelligence reveals the existence of other terrorist organizations associated with the the Government shall seek the Court's a as falling within

them

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN Constitution. 5 (ii) Telephone identifiers that are currently

the subject of electronic surveillance authorized by the Foreign Intelligence Surveillance Court (FISC) based on the FISC's finding of probable cause to believe that they are used by agents of

including those used by U.S. persons, may be deemed approved for querying for the period of FISCauthorized electronic surveillance without review and approval by a designated approving official. The

preceding sentence shall not apply to telephone identifiers under surveillance pursuant to any

The Court understands that from time to time the information available to designated approving officials will indicate that a telephone identifier was, but may not presently be, or is, but was not formerly, associated with a circumstance, so long as the designated approving official can determine that the reasonable, articulable suspicion standard can be met for a particular period of time with respect the telephone identifier, NSA may query the BR metadata using that telephone identifier. However, analysts conducting queries using such telephone identifiers must be made aware of the time period for which the telephone associated with , in order that the analysis and minimization of the information retrieved from their queries may be informed by that fact. TOP SECRET//COMINT//NOFORN 9

TOP SECRET//COMINT//NOFORN
certification of the Director of National Intelligence and the Attorney General pursuant to Section 702 of FISA, as added by the FISA Amendments Act of 2008, or pursuant to an Order of the FISC issued under Section 703 or Section 704 of FISA, as added by the FISA Amendments Act of 2008. (iii) A determination by a designated approving

official that a telephone identifier is associated with

shall be effective for:

one hundred

eighty days for U.S. telephone identifiers and for any identifiers believed to be used by a U.S. person; one year for all other telephone identifiers. 6

TOP SECRET//COMINT//NOFORN
10

TOP SECRET//COMINT//NOFORN

D.

The Director of the NSA shall continue to maintain

mandatory procedures to strictly control access to and use of the BR metadata, in accordance with this Court's orders. NSA's

OGC shall continue to promptly provide NSD with copies of these mandatory procedures (and all replacements, supplements or revisions thereto in effect now or adopted in the future) . Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate; Chief and Deputy Chief, Homeland Security Analysis Center; and the Homeland Mission Coordinators shall maintain appropriate management controls (e.g., records of all tasking decisions, audit and review procedures) E. for access to the metadata. The

The NSA shall obtain the BR metadata from

111111

, and shall store and process the BR metadata on a secure internal network that NSA exclusively will operate. F. Any processing by technical personnel of the BR metadata

acquired pursuant to this order shall be conducted through the NSA's secure internal network, which shall be accessible only to authorized personnel, using accounts authorized by a user authentication service, based on user login and password. G. Access to the metadata shall be controlled by user name NSA's Oversight and Compliance Office shall
TOP SECRET//COMINT//NOFORN
11

and password.

TOP SECRET//COMINT//NOFORN monitor the designation of individuals with access to the BR metadata. When the BR metadata is accessed through queries

under paragraphs (3)B or (3)C above, a software interface shall limit access to the BR metadata to authorized personnel, and the user's login, Internet Protocol (IP) address, date and time, and

retrieval request shall be automatically logged for auditing capability. 7 When the BR metadata is accessed through any other

means under paragraph (3)B above, the user's login, date and time shall be automatically logged for auditing capability. NSA's Office of Oversight and Compliance shall monitor the functioning of this automatic logging capability. All persons

authorized for access to the BR metadata and other NSA personnel who are authorized to receive query results shall receive appropriate and adequate briefings by NSA's OGC concerning the authorization granted by this Order, the limited circumstances in which the BR metadata may be accessed, and/or other procedures and restrictions regarding the retrieval, storage, and dissemination of the metadata.
7

In addition, the Court understands from the Declaration of Lieutenant General Keith B. Alexander, Director of NSA (Ex. A to the Report of the United States filed in docket number BR 09-09 on August 17, 2009) that NSA has made a number of technical modifications that will prohibit analysts: a) from inadvertently accessing the BR metadata in ~ b) from querying the BR metadata in with non-RAS-approved identifiers; and c) from going beyond three 11 hops 11 from an identifier used to query the BR metadata in

1111111111 1111111111

TOP SECRET//COMINT//NOFORN 12

TOP SECRET//COMINT//NOFORN

H.

NSA shall treat information from queries of the BR

metadata in accordance with USSID 18 and shall apply USSID 18 to minimize information concerning U.S. persons obtained from the records produced pursuant to the authorities granted herein. Additionally, before the NSA disseminates any U.S. person identifying information, the Chief of Information Sharing Services in the Signals Intelligence Directorate, the Senior Operations Officer at NSA's National Security Operations Center, the Signals Intelligence Directorate Director, the Deputy Director of the NSA, or the Director of the NSA must determine that the information identifying the U.S. person is in fact related to counterterrorism information and that it is necessary to understand the counterterrorism information or assess its importance. Notwithstanding the above requirements, NSA may share information derived from the BR metadata, including U.S. person identifying information, with Executive Branch personnel in order to enable them to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings. By 5:00 p.m. each Friday

following the authorization requested herein, the government shall file a report listing each instance during the seven-day period ending the previous Friday in which NSA has shared, in any form, information obtained or derived from the BR metadata
TOP SECRET//COMINT//NOFORN

13

TOP SECRET//COMINT//NOFORN

with anyone outside NSA.

For each such instance, the government

shall specify the date on which the information was shared, the recipient of the information, and the form in which the information was communicated (e.g., written report, e-mail, oral communication, etc.). For each such instance in which U.S.

person information has been shared, except those involving Executive Branch personnel seeking to identify discoverable information, the Chief of Information Sharing Services in the Signals Intelligence Directorate shall certify that one of the authorized officials identified above determined, prior to dissemination, that the information was related to counterterrorism information and necessary to understand the counterterrorism information or to assess its importance. This

paragraph's reporting requirement is not intended to apply to instances in which BR metadata and information derived therefrom is shared with Executive Branch personnel in order to facilitate their lawful oversight functions. I. Personnel authorized to query the BR metadata in

paragraph (3)C above may use and share the results of authorized queries of the BR metadata among themselves and with NSA personnel, including those who are not authorized to access the BR metadata pursuant to paragraph (3)C, provided that all NSA personnel receiving such query results in any form
TOP SECRET//COMINT//NOFORN

(except for

14

TOP SECRET//COMINT//NOFORN

information properly disseminated outside NSA) shall first receive appropriate and adequate training and guidance regarding the rules and restrictions governing the use, storage, and dissemination of such information. NSA's Oversight and

Compliance Office shall monitor the designation of individuals who have received the training and guidance necessary to receive the results of queries of the BR metadata.
J.

Authorized personnel also may use and share the identity

of high-volume telephone identifiers and other types of identifiers not associated with specific users _ . . . . . . . . . .

that they discover or have discovered as a result of access authorized under paragraphs (3)B and (3)C or as a result of technical personnel access under prior docket numbers in this matter, among themselves and with other NSA personnel, including those who are not authorized to access the BR metadata, for purposes of metadata reduction and management. The training requirements set forth in paragraph

(3)I above for NSA personnel receiving query results shall not apply to personnel receiving such identifiers, which may have
TOP SECRET//COMINT//NOFORN

15

TOP SECRET//COMINT//NOFORN been identified through queries, so long as they are received solely for purposes of metadata reduction and management. K. The BR metadata collected under this Court's Orders may

be kept online (that is, accessible for queries) for five years from the date of acquisition, at which time it shall be destroyed. L. At least twice before the expiration of the authorities

granted herein, NSA's OGC shall conduct a random spot check, consisting of an examination of a sample of call detail records obtained, to ensure that NSA is receiving only data as authorized by the Court and not receiving the substantive content of communications. M. At least twice before the expiration of the authorities

granted herein, the Department of Justice's National Security Division (NSD) will review NSA's access to the BR metadata under paragraph (3)C above. Such reviews shall include a sample of

the justifications designated approving officials relied upon to approve telephone identifiers for querying the BR metadata, and a review of the queries conducted. N. NSA's OGC shall consult with NSD on all significant

legal opinions that relate to the interpretation, scope, and/or implementation of the authorizations granted by the Court in this matter. When operationally practicable, such consultation TOP SECRET//COMINT//NOFORN 16

TOP SECRET//COMINT//NOFORN
shall occur in advance; otherwise, NSD shall be notified as soon as practicable.

o.

NSA's OGC shall promptly provide NSD with copies of all (including all

formal briefing and/or training materials revisions thereto)

currently in use or prepared and used in the

future to brief /train NSA personnel concerning the authorizations granted by this Order. P. At least once before the expiration of the authorities

granted herein, a meeting for the purpose of assessing compliance with this Court's orders in this matter shall be held with representatives from NSA's OGC, NSD, and appropriate individuals from NSA's Signals Intelligence Directorate. results of this meeting shall be reduced to writing and submitted to the Court as part of any application to renew or reinstate the authorities granted herein. Q. At least once before the expiration of the authorities The

granted herein, NSD shall meet with NSA's Office of Inspector General (OIG) to discuss their respective oversight responsibilities and assess NSA's compliance with the Court's orders in this matter. R. Prior to implementation, all proposed automated query

processes shall be reviewed and approved by NSA's OGC, NSD, and

TOP SECRET//COMINT//NOFORN
17

TOP SECRET//COMINT//NOFORN
the Court. 8 S. Any application to renew or reinstate the authority (i) the

granted herein shall include a report describing:

queries made since the end of the reporting period of the last report filed with the Court; (ii) the manner in which NSA

applied the procedures set forth in paragraph (3)C above; and (iii) any proposed changes in the way in which the call detail records would be received from the carriers and any significant changes to the systems NSA uses to receive, store, process, and disseminate BR metadata. In particular, the report shall describe how NSA has conducted queries described in footnote 5 of this order and minimized any information obtained or derived therefrom.

II

II

II

The Court understands that NSA may begin testing of certain automated processes (or capabilities associated with such processes) within the next sixty days.

TOP SECRET//COMINT//NOFORN

18

TOP SECRET//COMINT//NOFORN

(b)(6)
This authorization regarding
and unknown persons in the United States and abroad affiliated with

nd unknown persons in the United States and abroad affiliated with

at 5:00 p.m., Eastern Time.

Signed Date Time

Eastern Time

Judge, United States Foreign Intelligence Surveillance Court

TOP SECRET//COMINT//NOFORN

19

All redacted information exempt under (b)(1) and (b)(3).


TOP SECRET//COMINT//NOFORN

UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, D.C.

IN RE APPLICATION OF THE FEDERAL BUREAU OF INVESTIGATION FOR AN ORDER REQUIRING THE PRODUCTION OF TANGIBLE THINGS FROM-

Docket Number: BR 09-13

ORDER REGARDING FURTHER COMPLIANCE INCIDENTS

On September 3, 2009, the Court authorized the acquisition by the National Security Agency ("NSA") of the tangible things sought in the government's application in the above-captioned docket ("BR metadata"). Like prior orders in this matter, the Court's September 3 Order adopted strict procedures to control the NSA' s access to, use

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN

and dissemination of the BR metadata. Among other things, the Court ordered the following: The Director of the NSA shall continue to maintain mandatory procedures to strictly control access to and use of the BR metadata, in accordance with this Court's orders. NSA' s [Office of General Counsel] shall continue to promptly provide NSD with copies of these mandatory procedures (and all replacements, supplements or revisions thereto in effect now or adopted in the future). The Chief, Special PISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate; Chief and Deputy Chief, Homeland Security Analysis Center; and the Homeland Mission Coordinators shall maintain appropriate management controls (e.g., records of all tasking decisions, audit and review procedures) for access to the metadata. 9/3/09 Order at 11. The Court further ordered that: All persons authorized for access to the BR metadata and other NSA personnel who are authorized to receive query results shall receive appropriate and adequate briefings by NSA' s [Office of General Counsel] concerning the authorization granted by this Order, the limited circumstances in which the BR metadata may be accessed, and/or other procedures and restrictions regarding the retrieval, storage, and dissemination of the metadata. Id. at 12. These provisions of the Court's order adopted requirements that the government proposed in its application as minimization procedures. Docket BR 09-13, Application at 21, 25. On September 21, 2009, at approximately 5:10 p.m., an attorney with the National Security Division of the Department of Justice ("NSD") orally informed a member of the Court staff of a likely violation by the NSA of the foregoing provisions of the Court's

TOP SECRET//COMINT//NOFORN Page 2

TOP SECRET//COMINT//NOFORN

September 3, 2009 Order. The NSD attorney advised that an NSA analyst properly in possession of the results of a query of the BR metadata had forwarded such results by email to other NSA analysts involved in the " investigation.

According to the NSD attorney, at least some of those other analysts had not received "appropriate and adequate briefings by NSA' s OGC" concerning the strict controls imposed by the Court on NSA' s access to, use and dissemination of the BR metadata. The NSD attorney further advised that it did not appear that the query results in question had been shared outside NSA. On September 23, 2009, at approximately 3:35 p.m., the same NSD attorney orally informed a member of the Court staff of another similar incident in which query results were shared by email with NSA employees who had not been trained on the handling of BR metadata in accordance with the Court's Order. The ensuing discussion between the NSD attorney and the Court staff suggested that NSA may have created a distribution list comprised of the email addresses of some 189 NSA

analysts, only 53 of whom have been so trained. The NSD attorney explained that he was not then in a position to assure the Court that the distribution list would be altered to include only properly trained NSA analysts. The NSD attorney advised that NSD and NSA were investigating the foregoing incidents and expected to be in a position to submit a preliminary written notice to the

TOP SECRET//COMINT//NOFORN
Page 3

TOP SECRET//COMINT//NOFORN

Court in short order. As of the entry of this Order, the Court has not yet received such a notice. The Court is deeply troubled by the incidents described above, which have occurred only a few weeks following the completion of an "end to end review" by the government of NSA~ s procedures and processes for handling the BR metadata, and its submission of a report intended to assure the Court that NSA had addressed and corrected the issues giving rise to the history of serious and widespread compliance problems in this matter and had taken the necessary steps to ensure compliance with the Court's orders going forward. Accordingly, the Court HEREBY ORDERS that representatives of the NSA and NSD appear for a hearing on Monday, September 28, 2009, at 3:30 p.m., the purpose of which will be to inform the Court more fully of the scope and circumstances of the incidents discussed above, and to allow the Court assess whether the Orders issued in this docket should be modified or rescinded and whether other remedial steps should be imposed. The Court expects that the representatives of the NSA and NSD who appear at the hearing will include persons with detailed knowledge of the facts and circumstances surrounding the above-

TOP SECRET//COMINT//NOFORN

Page4

TOP SECRET//COMINT//NOFORN

described incidents and why remedial measures had not been implemented to ensure compliance with the Court's Orders that have been issued in this docket, as well as officials of stature sufficient to speak authoritatively on behalf of the Executive Branch. IT IS SO ORDERED, this 25th day of September 2009.

Judge, United States Foreign Intelligence Surveillance Court

TOP SECRET//COMINT//NOFORN
Page 5

(b)(6)

All redacted information exempt under (b)(1) and (b)(3) except as otherwise noted. TOP SECRET//COMINT//NOFORN
UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT WASHINGTON, DC

IN RE APPLICATION OF THE FEDERAL BUREAU OF INVESTIGATION FOR AN ORDER REQUIRING THE PRODUCTION OF TANGIBLE THINGS F

Docket Number: BR 09-15

SUPPLEMENTAL OPINION AND ORDER

On October 30, 2009, the Court authorized the acquisition by the National Security Agency ("NSA") of the tangible things sought in the government's application in the abovecaptioned docket ("BR metadata"). This supplemental opinion and order reiterates the manner in which query results may be shared within the NSA, as informed by the testimony provided by government, and elaborates on the reporting requirement imposed in the Court's order of October 30.

TOP SECRET//CO MINT //NOFORN

TOP SECRET//COMINT//NOFORN Sharing of BR Metadata Query Results Within the NSA The Court's order permits NSA analysts who are authorized to query the BR metadata to share the results of authorized queries among themselves and with other NSA personnel, "provided that all NSA personnel receiving such query results in any form (except for information properly disseminated outside NSA) shall first receive appropriate and adequate training and guidance regarding the rules and restrictions governing the use, storage, and dissemination of such information." Primary Order at 15, Docket No. BR 09-15 (October 30, 2009) ("October 30 Order"). The order further provides: "[a]ll persons authorized for access to the BR metadata and other NSA personnel who are authorized to receive query results shall receive appropriate and adequate training by NSA's [Office of General Counsel] concerning the authorization granted by this Order, the limited circumstances in which the BR metadata may be accessed, and/or other procedures and restrictions regarding the retrieval, storage, and dissemination of the metadata." Id. at 13. The Court's prior order in this matter contained identical provisions. Primary Order at 12, 14-15, Docket No. BR 09-13 (September 3, 2009) C'September 3 Order"). In September, 2009, the Court received oral notification that NSA analysts had, on two occasions, shared the results of queries of the BR metadata with NSA analysts involved in the investigation who had not received "appropriate and adequate training and guidance" as required under the September 3 Order. Order Regarding Further Compliance Incidents at 2-3, Docket No. BR 09-13 (September 25, 2009). On September 25, 2009, the Court ordered representatives of the NSA and the National Security Division ("NSD") of the

TOP SECRET//COMINT//NOFORN

. TOP SECRET//COMINT//NOFORN

Department of Justice to appear for a hearing in order to inform the Court more fully of the scope and circumstances of the incidents, and to allow the Court to assess whether the Court's order should be modified or rescinded and whether other remedial steps should be imposed. Id at 4. At the hearing, which was conducted on September 28, 2009, the government confirmed that NSA analysts authorized to query the BR metadata had sent query results to NSA personnel who had not received the training and guidance required by the Court's September 3 Order. Transcript at 6-7, Docket No. BR 09-13. Specifically, the government reported that the NSA had created an e-mail distribution list (the NSA representative referred to this list as an "alias") for the 189 NSA analysts who were working on the " 'threat, only 53 of whom had

received the required training and guidance. Id. at 6-7, 12-13. On September 1J1h, an NSA analyst authorized to query the BR metadata sent an e-mail to the alias that

included a "general analytic summary" of the results of a query of the BR metadata. Id. at 7. After a recipient brought the e-mail to the attention of the NSA's Oversight and Compliance Office and Office of General Counsel, the Oversight and Compliance Office issued guidance on September 21 5\ "reemphasizing the point, no dissemination of query results in any form." Id. at 14. The NSA's Counter-terrorism organization sent a similar reminder on the morning of September 22 11 ct, however, that afternoon, a second NSA analyst who was authorized to query the BR metadata sent a situation report to the derived from a query of the BR metadata. Id. at 15. The government testified at the hearing that the NSA has taken steps to ensure that any sharing of the results of queries of the BR metadata within the NSA is fully consistent with the alias that contained information

TOP SECRET//CO MINT //NOFORN

TOP SECRET//COMINT//NOFORN Court's orders. First, the NSA has issued guidance interpreting "query results in any form," to mean any information of any kind derived from the BR metadata. Id. at 16. Second, NSA aliases for sharing information that could include BR metadata query results, will be limited to NSA personnel who have received the necessary training and guidance to receive those query results. Id. at 21-22. The Court hereby affirms that the NSA may share BR metadata query results in this manner consistent with the Court's October 30 Order. The only exception to this practice is under circumstances in which the Court has expressly authorized a deviation. 1 Report on Queries Described in Footnote 6 of the Court's October 30 Order According to the government, one advantage of the BR metadata repository is that it is historical in nature, reflecting contact activity from the past that cannot be captured in the present or prospectively. Declaration of t7,DocketNo. BR09-15. Atthe

government's request, the Court's September 3 Order and October 30 Order both aclmowledge that the government may query the BR metadata for historical purposes, using a telephone identifier that is not currently associated with one of the targeted foreign powers, but that was for a period of time in the past. 2

For example, pursuant to paragraph (3)J of the Court's order, NSA personnel authorized to query the BR metadata may use and share the identity of high-volume telephone identifiers and other types of identifiers not associated with specific users for purposes of metadata reduction and management, without regard to whether the recipient has received the training and guidance required for access to BR metadata query results.
2

Both orders contain the following footnote: "The Court understands that from time to time the information available to designated approving officials will indicate that a tele hone identifier w not resent! is but was not former! associated with In such a circumstance, so long as the designated approving official can determine that the reasonable, articulable suspicion standard can be met for a particular period of time with respect to the telephone identifier, NSA may query the BR metadata using that telephone identifier. However, analysts conducting queries using such telephone identifiers must be made aware of the time period for (continued ... )

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN Nevertheless, the NSA's querying of the BR metadata using telephone identifiers that do not currently satisfy the "reasonable articulable suspicion" standard has been a source of concern for the Court. Given that telephone providers regularly re-assign telephone identifiers, and in light of the fact that the NSA acquires approximately - c a l l detail records per day, the vast majority of which are irrelevant to the Federal Bureau oflnvestigation's ("FBI") investigations and concern communications of United States persons in the United States, it would appear likely that such a query could produce results that include metadata from United States persons not under investigation by the FBI. In order to allay these concerns, the Court's September 3 Order mandated that any application to renew or reinstate the authority granted therein must include a report describing, among other things, how the NSA has conducted [these types of queries] and minimized any information obtained or derived therefrom. September 30rder at 18. The government's report submitted as Exhibit B to its Application in Docket Number 0915, stated: From time to time, NSA may have information indicatin identifier was used b an individual associated only for a particular timeframe. In these circumstances, NSA would seek and grant as appropriate, RAS approval, with the understanding that contact chaining would be conducted in a manner that covered a limited timeframe that has been identified.

in order that the analysis and minimization of the information retrieved from their queries may be informed by that fact." September 3 Order at 9, n. 5; October 30 Order at 9, n. 6.

TOP SECRET//COMINT//NOFORN

TOP SECRET//COMINT//NOFORN

The report then provided one example of how the NSA had conducted such a query. NSA Report to the Foreign Intelligence Surveillance Court (BR 09-13) at 15-16. This report was not sufficiently detailed to allay the Court's concerns, and the Court therefore continues to be concerned about the likelihood that these queries could reveal communications of United States person users of the telephone identifier who are not the subject of FBI investigations. As a result, the Court's October 30 Order contains the same reporting requirements as the September 3 Order. October 30 Order at 18-19. However, to assist the government in providing a report that satisfies its needs, the Court HEREBY ORDERS that any report submitted by the government pursuant to paragraph (3)S of the Court's October 30 Order shall include the following information with regard to how the NSA has conducted queries of the BR metadata using telephone identifiers determined to satisfy the reasonable articulable suspicion standard at some time in the past, but that do not currently meet the standard, and how the NSA minimized any information obtained or derived therefrom: 1. The total number of such queries run during the reporting period and what percentage those queries constitute of the total number of queries run. 2. Would the status of a telephone identifier that was approved for querying under these circumstances be changed on the Station Table to non-RAS approved once a single query using that identifier has been run? If not, does the NSA have an automated process to limit queries of that telephone identifier to the specified time frame? If not, how will an NSA analyst know that any query of that telephone identifier must be limited to the time period for which the reasonable articulable suspicion existed?

TOP SECRET//CO MINT//NOFORN

TOP SECRET//COMINT//NOFORN 3. Are NSA analysts permitted to conduct more than one query using any telephone identifier determined to have met the reasonabie articulable suspicion standard under circumstances described above, and if so, for what purpose? If query results from the first query indicated that the telephone identifier's association with the foreign power terminated earlier than the date the NSA believed the identifier no longer met the reasonable articulable suspicion, would the timeframe restriction be adjusted for any subsequent query? 4. If this type of query is run, and the NSA analyst who ran the query determines that the query results include records of communications that were made after the telephone identifier was re-assigned to a United States person who is not associated with the foreign power, must the analyst delete or otherwise mask such records prior to sharing the query results with NSA analysts authorized to receive query results pursuant to paragraph (3)I of the Court's order?

ENTERED this 5th day of November, 2009.

Judge, United States Foreign Intelligence Surveillance Court

TOP SECRET//COMINT//NOFORN

(b)(6)

You might also like