In June of this year, President Obama directed me to declassify and make public as much information as possible about certain sensitive intelligence collection programs undertaken under the authority of the Foreign Intelligence Surveillance Act (FISA) while being mindful of the need to protect national security. Consistent with this directive, today I authorized the declassification and public release of a number of documents pertaining to the Government’s collection of bulk telephony metadata under Section 501 of the FISA, as amended by Section 215 of the USA PATRIOT Act. These documents were properly classified, and their declassification is not done lightly. I have determined, however, that the harm to national security in these circumstances is outweighed by the public interest.
Release of these documents reflects the Executive Branch’s continued commitment to making information about this intelligence collection program publicly available when appropriate and consistent with the national security of the United States. Some information has been redacted because these documents include discussion of matters that continue to be properly classified for national security reasons and the harm to national security would be great if disclosed. These documents will be made available at the website of the Office of the Director of National Intelligence (www.dni.gov), and on the recently established public website dedicated to fostering greater public visibility into the intelligence activities of the Government (IContheRecord.tumblr.com).
The documents released today were provided to Congress at the time of the events in question and include orders and opinions from the Foreign Intelligence Surveillance Court (FISC), filings with that court, an Inspector General Report, and internal NSA documents. They describe certain compliance incidents that were discovered by NSA, reported to the FISC and the Congress, and resolved four years ago. They demonstrate that the Government has undertaken extraordinary measures to identify and correct mistakes that have occurred in implementing the bulk telephony metadata collection program – and to put systems and processes in place that seek to prevent such mistakes from occurring in the first place.
More specifically, in response to the compliance incident identified in 2009, the Director of NSA instituted a number of remedial and corrective steps, including conducting a comprehensive “end-to-end” review of NSA’s handling of telephony metadata obtained under Section 501. This comprehensive review identified additional incidents where NSA was not complying with aspects of the FISC’s orders.
The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned. These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC. As discussed in the documents, there was no single cause of the incidents and, in fact, a number of successful oversight, management, and technology processes in place operated as designed and uncovered these matters.
Upon discovery of these incidents, which were promptly reported to the FISC, the Court, in 2009, issued an order requiring NSA to seek Court approval to query the telephony metadata on a case-by-case basis, except when necessary to protect against an imminent threat to human life. Thereafter, NSA completed its end-to-end review and took several steps to remedy these issues, including making technological fixes, improving training, and implementing new oversight procedures. These remedial steps were then reported to the Court, and in September 2009, the Court lifted the requirement for NSA to seek approval to query the telephony metadata on a case-by-case basis and has since continuously reauthorized this program. The Intelligence and Judiciary Committees were informed of the compliance incidents beginning in February 2009 and kept apprised of the Government’s corrective measures throughout the process, including being provided copies of the Court’s opinions, the Government’s report to the Court, and NSA’s end-to-end review.
Upon discovery of these issues in 2009, NSA also recognized that its compliance and oversight infrastructure had not kept pace with its operational momentum and the evolving and challenging technological environment in which it functioned. Therefore NSA, in close coordination with the Office of the Director of National Intelligence and the Department of Justice, also undertook significant steps to address these issues from a structural and managerial perspective, including thorough enhancements to its compliance structure that went beyond this specific program. For example, in 2009, NSA created the position of the Director of Compliance, whose sole function is to keep all of NSA’s mission activities consistent with the law and applicable policies and procedures designed to protect U.S. person privacy by strengthening NSA’s compliance program across NSA’s operational and technical personnel. NSA also added additional technology-based safeguards, implemented procedures to ensure accuracy and precision in FISC filings, and initiated regular detailed senior leadership reviews of the compliance program. NSA has also enhanced its oversight coordination with the Office of the Director of National Intelligence and the Department of Justice.
Since 2009, the Government has continued to increase its focus on compliance and oversight. Today, NSA’s compliance program is directly supported by over three hundred personnel, which is a fourfold increase in just four years. This increase was designed to address changes in technology and authorities and reflects a commitment on the part of the Intelligence Community and the rest of the Government to ensuring that intelligence activities are conducted responsibly and subject to the rule of law. NSA’s efforts have proven successful in its implementation of the telephony metadata collection program since the changes made in 2009. Although there have been a handful of compliance incidents each year, these were the result of human error or provider error in individual instances and were not the result of systemic misunderstandings or problems of the type discovered in 2009. Each of these individual incidents upon identification were immediately reported to the FISC and remedied.
Moreover, the FISC in September of 2009 relieved the Government of its requirement to seek Court approval to query the metadata on a case-by-case basis and has continued to reauthorize this program. Indeed, in July of this year the FISC once again approved the Government’s request for reauthorization.
The documents released today are a testament to the Government’s strong commitment to detecting, correcting, and reporting mistakes that occur in implementing technologically complex intelligence collection activities, and to continually improving its oversight and compliance processes. As demonstrated in these documents, once compliance incidents were discovered in the telephony metadata collection program, additional checks, balances, and safeguards were developed to help prevent future instances of non-compliance.
James R. Clapper, Director of National Intelligence
March 5, 2009 – Cover Letter to Chairman of the Intelligence and Judiciary Committees
Cover letter submitting several Foreign Intelligence Surveillance Court (FISC) opinions and Government filings relating to the Government’s discovery and remediation of compliance incidents in its handling of bulk telephony metadata under docket number BR 08-13, described below.
September 3, 2009 – Cover Letter to Chairman of the Intelligence and Judiciary Committees
Cover letter submitting the Government’s report to the Court and NSA’s end-to-end review describing its investigation and remediation of compliance incidents in its handling of bulk telephony metadata under docket number BR-09-09, described below.
May 24, 2006 – Order from the Foreign Intelligence Surveillance Court
Order of the FISC approving the Government’s request for authorization to collect bulk telephony metadata under Section 501 of FISA.
December 12, 2008 – Supplemental Opinion from the Foreign Intelligence Surveillance Court
Opinion of the FISC concluding that the production of bulk telephony metadata records pursuant to Section 501 of FISA is not inconsistent with Sections 2702 and 2703 of Title 18 of the United States Code.
Order of the FISC directing the Government to provide additional information regarding its identification and notification that NSA had improperly queried the bulk telephony metadata by using an automated “alert list” process that resulted in the use of selectors that had not been individually reviewed and determined to meet he required reasonable articulable suspicion standard.
Memorandum of the Government providing additional information relating to the compliance incident described directly above and describing additional oversight mechanisms deployed by the Government following identification of this compliance incident.
February 26, 2009 – Notice of Compliance Incident
Memorandum of the Government providing the FISC with notice of additional compliance incidents identified during NSA’s ongoing end-to-end review of the telephony metadata program.
March 2, 2009 – Order from the Foreign Intelligence Court (Updated 3/28/14 - Reprocessed document responsive to a Freedom of Information Act request by the Electronic Frontier Foundation.)
In light of the compliance incidents identified and reported by the Government, the FISC ordered NSA to seek Court approval to query the telephony metadata on a case-by-case basis, except where necessary to protect against an imminent threat to human life “until such time as the Government is able to restore the Court’s confidence that the government can and will comply with the previously approved [Court] procedures for accessing such data.”
June 22, 2009 – Order (Updated 3/28/2014 - Reprocessed document responsive to a Freedom of Information Act request by the Electronic Frontier Foundation.)
In response to the Government’s reporting of a compliance incident related to NSA’s dissemination of certain query results discovered during NSA’s end-to-end review, the FISC ordered the Government to report on a weekly basis, any disseminations of information from the metadata telephony program outside of NSA and provide further explanation of the incident in its final report upon completion of the end-to-end review.
August 19, 2009 – Report of the United States with attachments:
Report of the Government describing the compliance issues uncovered during NSA’s end-to-end review, including an explanation for how the compliance issues were remedied. Attached to the Report are declarations of the value of the bulk telephony metadata program from the Directors of NSA and the FBI.
NSA’s end-to-end review of it’s implementation of the FISC’s authorization under Section 215.
September 3, 2009 – Primary Order from the Foreign Intelligence Surveillance Court
Order of the FISC renewing authorization for the bulk telephony metadata program, and no longer requiring NSA to seek FISC approval to query the telephony metadata program on a case-by-case basis.
In response to the Government’s identification and notice to the FISC regarding improper dissemination of information related to an ongoing threat, the FISC ordered a hearing to inform the FISC of the scope and circumstances of the compliance incident.
November 5, 2009 – Supplemental Opinion and Order from the Foreign Intelligence Surveillance Court
Supplemental Opinion and Order of the FISC reiterating Court ordered restrictions on NSA’s handling of query results of the telephony metadata program, and directing the Government to provide the court with additional information regarding queries of the telephony metadata.
November 23, 2010 – Supplemental Order from the Foreign Intelligence Surveillance Court (Added: 3/28/14 - Newly posted document responsive to a Freedom of Information Act request by the Electronic Frontier Foundation.)
Supplemental Order issued by the FISC in response to a government request for records concerning an individual target, not an application requesting records in bulk. The order interprets the relationship between the Right to Financial Privacy Act and Section 215 of the USA PATRIOT Act.