Page 51 - pclob usa freedom
P. 51

TOP SECRET//SI//NOFORN




               response to the initial specific selection term. 250   In short, it authorized the government to obtain
               two hops of CDRs on an ongoing basis.
                       (U) The statutory framework also imposed boundaries on CDR collection.  A notable
               limitation arose from the definition of “call detail record,” which the statute defined to exclude
               the contents of a communication, the name of a subscriber or customer, and cell-site location or
               global positioning system information. 251   The Board is aware of no instance in which NSA
               sought to circumvent this or any other statutory limitation related to the program. 252   For
               example, the Board is not aware of any instance in which NSA sought or obtained global
               positioning system information, cell-site location information, or the names of subscribers.

                       (U) The technical architecture created by NSA to collect CDRs under the USA Freedom
               Act was designed to comport with the statute. 253   As described in Part II of this report, the system
               contained a series of safeguards; many could be mapped directly to the statutory limitations,
               while others were implemented for policy and compliance purposes.  For example, when
               receiving CDRs from providers, NSA’s validation checks could detect if a provider had
               accidentally sent additional data fields forbidden by the statute, such as subscriber name or cell-
               site location information.  The system was technically unable to ingest information not contained
               in the roughly fifty specified data fields. 254

                              2.     (U) Compliance Incidents and Data-Integrity Concerns


                       (U) Beginning in 2016, NSA identified a series of compliance and data-integrity
               concerns.  These can be divided into two categories: those that could arise in other areas of FISA
               or equivalent law enforcement authorities, and those unique to the USA Freedom Act’s statutory
               framework.
                       (U) The incidents involving information omitted from a 2016 application to the FISA
               court, 255  certain NSA officers’ missing required training, 256  and a provider’s production of data



               250  (U) 50 U.S.C. § 1861(c)(2)(F)(iv).
               251  (U) 50 U.S.C. § 1861(k)(3)(B).  The statute also required the government to conduct this collection under
               approved minimization procedures, and to destroy information as required by those procedures.  50 U.S.C.
               § 1861(c)(2)(A), (F)(vii).
               252  (U) Other statutory requirements include that collection be based on a specific selection term, that the
               government have approved minimization procedures, and that it destroys information as required by those
               procedures.  50 U.S.C. § 1861(c)(2)(A), (F)(vii).
               253  (U) See Part II(A) for an explanation of this architecture.  See also NSA USA Freedom Act Transparency Report.
               254  (U//FOUO) See NSA Final Answers to PCLOB Questions (Nov. 22, 2019).
               255  (U) Part II(B)(1)(a).

               256  (U) Part II(B)(1)(c).

                                                             48




                                                TOP SECRET//SI//NOFORN
   46   47   48   49   50   51   52   53   54   55   56