The U.S. National Security Agency violated rules on surveillance of telephone records for almost three years and misled a secret court, raising fresh concerns that spy programs lack adequate controls to protect Americans’ privacy.
The latest revelations show NSA spying was broader, violated restrictions on domestic surveillance more often, and may have targeted innocent Americans to a greater degree than previously known. They are contained in documents released yesterday by Director of National Intelligence James Clapper in response to privacy groups’ lawsuits.
The agency ran a select list of phone numbers against databases of millions of call records between May 2006 and January 2009 without having reason to suspect some of the numbers’ owners of terrorist ties, according to the records.
“The court entrusted NSA with extraordinary authority, and with it came the highest responsibility for compliance and protection of privacy rights,” NSA Director Keith Alexander wrote in one of the declassified documents. “In several instances, NSA implemented its authority in a manner inconsistent with the orders, and some of these inconsistencies were not recognized for more than two and a half years.”
The Electronic Frontier Foundation, a privacy-rights group in San Francisco, sued the NSA to obtain the documents that had been issued by a secret intelligence court.
“It’s pretty damning,” said Trevor Timm, a digital rights analyst with EFF. “This shows a larger pattern that a lot of times the NSA doesn’t alert the court to serious privacy violations, whether they are intentional or unintentional, for years down the road.”
The violations involved checks on as many as 16,000 phone numbers, including some based in the U.S., said two senior intelligence officials with direct knowledge of how the program operated. They asked not to be identified in order to speak about sensitive matters.
Intelligence officials notified the Foreign Intelligence Surveillance Court, which oversees intelligence gathering on Americans, of the violations on Jan. 15, 2009, five days before President Barack Obama was sworn in.
Among other violations, a “significant” number of domestic telephone numbers were added to lists for heightened scrutiny without proper review, according to an Aug. 17, 2009 filing by the NSA with the court. The agency said it had remedied the violations through better training and technological fixes.
Between March 2009 and September 2009 the court required the NSA to get approval for each number it wanted to query. In September of that year the court approved revised procedures that allowed the program to continue, the official said.
Within three weeks, the NSA reported that unauthorized personnel had been given access to some of the records. U.S. District Judge Reggie Walton, serving on the surveillance court, wrote of being “deeply troubled by the incidents.” He ordered the parties to appear at a hearing to assess whether to shut the surveillance program down. He didn’t take that step.
The NSA collects bulk phone records, such as numbers and call durations, from companies including Verizon Communications Inc. (VZ) under Section 215 of the USA Patriot Act.
Under the law, the agency must have “reasonable, articulable suspicion” that a phone number may be connected to a terrorist plot to query it against the larger database of records.
Between May 2006 and January 2009, NSA analysts would query the database with thousands of numbers on an “alert list,” the intelligence officials said. Those numbers didn’t meet the necessary legal standard for ongoing searches, the officials said.
The alert list grew from 3,980 in 2006 to 17,835 in 2009, one of the officials said. About 2,000 numbers on the list in 2009 met the necessary standard, the official said, meaning almost 16,000 didn’t. The alert list was shut down on Jan. 24, 2009, according to one of the declassified documents.
The NSA misled the surveillance court during those years by certifying the legal standard was met for all numbers queried, the official said.
Alexander described to the court in a Feb. 13, 2009, filing how mistakes were made in using the alert list. Four days later, the Justice Department submitted a memorandum to the court saying declarations made by Alexander were inaccurate and that the government didn’t have the authority to use the list in the manner it did.
Remedies put in place “should significantly improve compliance with the court’s orders,” Alexander said. He added that “no corrective measures are infallible.” Remedies include software that prevents queries about numbers not on an approved list, Alexander said.
It wasn’t the first time the NSA has acknowledged violating surveillance rules or misleading the court.
The NSA said last month that, in a handful of cases, some employees or contractors deliberately spied on people of interest to them, including for romantic motivations.
Separately, a legal opinion declassified Aug. 21 revealed that the NSA intercepted as many as 56,000 electronic communications a year of Americans who weren’t suspected of having links to terrorism, before the secret court that oversees surveillance found the operation unconstitutional in 2011.
In a declassified legal opinion from October 2011, the court said the agency misrepresented the scope of surveillance operations three times in less than three years.
A May 2012 internal government audit found more than 2,700 violations involving NSA surveillance of Americans and foreigners over a one-year period. The audit was reported Aug. 16 by the Washington Post, citing documents provided by former NSA contractor Edward Snowden.
The extent of the phone metadata program was exposed in June by Snowden, who’s now in Russia under temporary asylum. He revealed a classified legal order compelling Verizon to turn over the phone records of millions of customers to the NSA.
The administration acknowledged that the phone metadata program involves multiple telecommunications carriers in an Aug. 9 description of how the program works, without naming other participating companies.
Yesterday’s disclosures were made in response to a judge’s order in a freedom of information lawsuit brought by the Electronic Frontier Foundation.
The group sued after the government didn’t respond to its requests to turn over documents describing its collection and surveillance efforts. In November the government asked U.S. District Judge Yvonne Gonzalez Rogers in Oakland, California, to toss the case, saying the EFF sought documents that were exempt from disclosure to protect national security.
The Justice Department said in a Sept. 5 court filing that it would release hundreds of pages to EFF, including orders and opinions of the surveillance court from January 2004 to June 2011 and other documents about the court’s work.
The government has collected “the details of every call made by every American” in violation of the Patriot Act, said Republican Representative Jim Sensenbrenner of Wisconsin, who helped write the 2001 law.
“The implications of this flawed interpretation are staggering,” Sensenbrenner wrote in a Sept. 6 letter to Attorney General Eric Holder. “The logic the administration uses for bulk collection would seem to support bulk collection of other personal data.”
The case is Electronic Frontier Foundation v. Department of Justice, 11-05221, U.S. District Court, Northern District of California (Oakland).
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Bernard Kohn at email@example.com