Page 26 - pclob usa freedom
P. 26

TOP SECRET//SI//NOFORN


                       (U) The same day it identified the problem, NSA stopped issuing new requests to the
               provider for data and also stopped processing data received from the provider into its
               repositories.  This ensured analysts stopped receiving access to new inaccurate CDRs.  NSA
               informed its analysts of the inaccurate information produced by the provider and cautioned them
               not to rely on CDRs from the affected time period.  The provider ultimately implemented a
               technical solution to its system to prevent delivery of inaccurate records to NSA.

                       (S//NF) Subsequent internal NSA investigations discovered that prior to the discovery of
               the data-integrity issue, some inaccurate CDRs were used to support four applications to the
               FISA court seeking USA Freedom Act authorization                                 .  On April
               11, 2018, the government filed a notice informing the FISA court of the inaccurate information
               produced by this provider.  The government also notified the FISA court of the four applications
               that relied on the inaccurate information.  NSA deleted CDRs acquired as a result of these four
               applications and recalled one disseminated intelligence report generated based on the inaccurate
               CDRs.

                                     c.     (U) Expanding Accuracy Concerns Lead NSA to Delete CDRs
                       (TS//SI//NF) In connection with its investigation into the provider’s production of
               inaccurate data associated with                       , NSA searched for similar anomalous
               data from the other providers and found a number of questionable CDRs.  In one instance, NSA
               brought the possibility of inaccurate CDRs to the attention of the provider.  That provider
               confirmed that it also produced CDRs with inaccurate data in               situations.  In
               addition, the provider had also reported to NSA a separate tranche of inaccurate CDRs.  Those
               CDRs included fields which had been overwritten with unrelated data.
                       (U) By May 2018, NSA realized that the providers could not identify for NSA all the
               affected records, and NSA had no way to independently determine which records contained
               inaccurate information.  Thus, NSA did not have a viable way to remove the affected records and
               retain unaffected records.  In response, NSA initiated the deletion of all data produced under the
               USA Freedom Act by providers.   116   NSA also successfully revalidated all reports produced by
               NSA by that time and confirmed they did not rely upon inaccurate CDRs produced in error by
               the providers.  NSA issued a public statement regarding its deletion of USA Freedom Act
               CDRs.  117




               116  (U) In September 2018, NSA’s Office of the Inspector General identified a small number of USA Freedom Act
               “data objects” derived from CDRs that should have been deleted but were not, based upon NSA’s mistaken
               assumption regarding the technical configurations for a single SIGINT repository.  By October 15, 2018, NSA had
               also deleted this data.  See NSA Office of the Inspector General, Semi-Annual Report to Congress: 1 October 2018
               to 31 March 2019, 13 (Jan. 2019), https://oig nsa.gov.
               117  (U) Government Notice to the FISA court ¶ 7 (June 4, 2018); see also NSA Press Release, NSA Reports Data
               Deletion, PA-010-18 (June 28, 2018).
                                                             23


                                                TOP SECRET//SI//NOFORN
   21   22   23   24   25   26   27   28   29   30   31