Page 24 - pclob usa freedom
P. 24

TOP SECRET//SI//NOFORN




               operating the USA Freedom Act CDR program.  A classified appendix describes these incidents
               in more detail.

                              1.     (U) General Compliance Matters


                       (U) Some of the notices filed with the FISA court, which are described in this section,
               dealt with compliance incidents which could occur when using other intelligence or equivalent
               law enforcement collection authorities and were the result of two types of government error and
               one type of provider error.

                                     a.     (U) Omitted Information from FISA Application

                       (U) In one instance, the same day the FISA court approved the government’s application
               under the USA Freedom Act, FBI informed NSA that it possessed intelligence which called into
               question facts the government relied on in its application. 113   FBI attributed its failure to share
               this intelligence with NSA and the Department of Justice to an internal oversight. 114   NSA asked
               the providers to stop producing CDRs for certain specific selection terms affected by the
               omissions and asked the providers to continue production for the specific selection term that was
               not affected by the omissions and continued to meet the statutory requirements.

                                     b.     (U) Overproduction

                       (S//NF) Three days after a valid FISA court order expired, a provider transmitted
                  CDRs associated with the expired order to NSA.  Upon receiving the files, NSA’s automated
               initial review in System 1 determined that the CDRs should not have been produced and, as a
               result, ensured that NSA analysts did not gain access to the files.  NSA destroyed all CDRs
               erroneously transmitted by the provider within a few days.

                                     c.     (U) Training Compliance Incidents

                       (U) NSA discovered that a number of NSA personnel were unintentionally granted access
               to USA Freedom Act CDRs even though the personnel did not have training required by the
               minimization procedures.  NSA confirmed that this issue was caused by human error.  Among
               other corrective steps, NSA revoked access credentials for personnel.  In light of this incident,
               NSA sped up its efforts to shift from manual verification of training toward automated
               verification.  Additionally, NSA analysts improperly shared CDR information via email with
               NSA analysts who had not had the formal USA Freedom Act training.  In this instance, NSA






               113  (U) Government Notice to the FISA court ¶ 2 (May 24, 2016).

               114  (U) Prior to the filing of the application, a foreign partner provided additional information about the target to FBI.
               Due to an FBI analyst’s annual leave, that additional information was not included in the application.  FBI briefing
               to Board staff (Oct. 22, 2019); Government Notice to the FISA court (May 24, 2016).

                                                             21




                                                TOP SECRET//SI//NOFORN
   19   20   21   22   23   24   25   26   27   28   29