By James Ball and Spencer Ackerman
The National Security Agency has a secret backdoor into its vast databases under a legal authority enabling it to search for U.S. citizens’ email and phone calls without a warrant, according to a top-secret document passed to the Guardian by Edward Snowden.
The previously undisclosed rule change allows NSA operatives to hunt for individual Americans’ communications using their name or other identifying information. Senator Ron Wyden told the Guardian that the law provides the NSA with a loophole potentially allowing “warrantless searches for the phone calls or emails of law-abiding Americans.”
The authority, approved in 2011, appears to contrast with repeated assurances from Barack Obama and senior intelligence officials to both Congress and the American public that the privacy of U.S. citizens is protected from the NSA’s dragnet surveillance programs.
The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-U.S. citizens and outside the U.S. at the point of collection.
The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.
But this is the first evidence that the NSA has permission to search those databases for specific U.S. individuals’ communications.
Loophole Derived from a Secret Glossary Document
A secret glossary document provided to operatives in the NSA’s Special Source Operations division â€“ which runs the Prism program and large-scale cable intercepts through corporate partnerships with technology companies â€“ details an update to the “minimization” procedures that govern how the agency must handle the communications of U.S. persons. That group is defined as both American citizens and foreigners located in the U.S.
“While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data,” the glossary states, “analysts may NOT/NOT [not repeat not] implement any USP [U.S. persons] queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI [Office of the Director of National Intelligence].”
The term “identifiers” is NSA jargon for information relating to an individual, such as telephone number, email address, IP address and username as well as their name.
The document â€“ which is undated, though metadata suggests this version was last updated in June 2012 â€“ does not say whether the oversight process it mentions has been established or whether any searches against U.S. person names have taken place.
Senate Intelligence Committee Members Wyden and Udall Continue to Question the NSA’s Practices
Wyden, an Oregon Democrat on the Senate intelligence committee, has obliquely warned for months that the NSA’s retention of Americans’ communications incidentally collected and its ability to search through it have been far more extensive than intelligence officials have stated publicly. Speaking this week, Wyden told the Guardian it amounts to a “backdoor search” through Americans’ communications data.
“Section 702 was intended to give the government new authorities to collect the communications of individuals believed to be foreigners outside the U.S., but the intelligence community has been unable to tell Congress how many Americans have had their communications swept up in that collection,” he said.
“Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.”
Wyden, along with his intelligence committee colleague Mark Udall, have attempted repeatedly to warn publicly about the ability of the intelligence community to look at the communications of U.S. citizens, but are limited by their obligation not to reveal highly classified information.
But in a letter they recently wrote to the NSA director, General Keith Alexander, the two senators warned that a fact sheet released by the NSA in the wake of the initial Prism revelations to reassure the American public about domestic surveillance was misleading.
In the letter, they warned that Americans’ communications might be inadvertently collected and stored under Section 702, despite rules stating only data on foreigners should be collected and retained.
“[W]e note that this same fact sheet states that under Section 702, ‘Any inadvertently acquired communication of or concerning a U.S. person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime,'” they said.
“We believe that this statement is somewhat misleading, in that it implied the NSA has the ability to determine how many American communications it has collected under Section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”
NSA’s Use of “Inadvertently Acquired” Information
The foreign intelligence surveillance (Fisa) court issues approvals annually authorizing such operations, with specific rules on who can be targeted and what measures must be taken to minimize any details “inadvertently” collected on U.S. persons.
Secret minimization procedures dating from 2009, published in June by the Guardian, revealed that the NSA could make use of any “inadvertently acquired” information on U.S. persons under a defined range of circumstances, including if they held usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted or are believed to contain any information relevant to cybersecurity.
At that stage, however, the rules did not appear to allow for searches of collected data relating to specific U.S. persons.
Official Assurances: Narrow and Unsatisfactory
Assurances from Obama and senior administration officials to the American public about the privacy of their communications have relied on the strict definition of what constitutes “targeting” while making no mention of the permission to search for U.S. data within material that has already been collected.
The day after the Guardian revealed details of the NSA’s Prism program, President Obama said: “Now, with respect to the internet and emails, this doesn’t apply to U.S. citizens and it doesn’t apply to people living in the United States.”
Speaking at a House hearing on 18 June this year, deputy attorney general James Cole told legislators “[T]here’s a great deal of minimization procedures that are involved here, particularly concerning any of the acquisition of information that deals or comes from U.S. persons.
“As I said, only targeting people outside the United States who are not U.S. persons. But if we do acquire any information that relates to a U.S. person, under limited criteria only can we keep it.”
Dianne Feinstein, the California Democrat who chairs the Senate intelligence committee, said in June 2012 that she believed the intelligence agencies and the Justice Department were sufficiently mindful of Americans’ privacy.
“The intelligence community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause,” Feinstein stated in a report provided to the Senate record.
While there are several congressional proposals to constrain the NSA’s bulk collection of Americans’ phone records, there has to date been much less legislative appetite to abridge its powers under Section 702 â€“ as lawmakers are satisfied it doesn’t sufficiently violate Americans’ privacy.
“702 is focused outside the United States at non-citizens,” said Adam Schiff, a member of the House intelligence committee. “The evidence of the effectiveness of 702 is much more substantial than 215 [the bulk phone records collection]. So I think there are fewer fourth amendment concerns and more evidence of the saliency of the program.”
Wyden and Udall Still Not Satisfied
Wyden and Udall â€“ both of whom say foreign surveillance conducted under Section 702 has legitimate value for U.S. national security â€“ have tried and failed to restrict the NSA’s ability to collect and store Americans’ communications that it accidentally acquires.
Wyden told the Guardian that he raised concerns about the loophole with President Obama during an August 1 meeting with legislators about the NSA’s surveillance powers.
“I believe that Congress should reform Section 702 to provide better protections for Americans’ privacy, and that this could be done without losing the value that this collection provides,” he said.
The Guardian put the latest revelations to the NSA and the Office of the Director of National Intelligence but no response had been received by the time of publication.Î¦
James Ball is a data journalist working for the Guardian investigations team. He joined the Guardian from Wikileaks, and the Bureau of Investigative Journalism. He was the Washington Post Laurence Stern Fellow for 2012.
Spencer Ackerman is national security editor for Guardian US. A former senior writer for Wired, he won the 2012 National Magazine Award for Digital Reporting.