Page 52 - pclob usa freedom
P. 52
TOP SECRET//SI//NOFORN
beyond the end date of an order do not uniquely implicate CDRs or the fact that the USA
Freedom Act provides a two-hop collection authority. Based on our review of the facts, the
Board determined that these incidents were inadvertent, not willful, and that NSA handled each
case seriously. Whether purposeful or incidental, such compliance incidents are not trivial. In
each instance, the government notified the FISA court and took steps to remediate the issue,
including by deleting the affected data. 257
(TS//SI//NF) Other incidents raise questions that are unique to the contours of the USA
Freedom Act. Specifically, the incidents involving 258
259 raise other statutory questions. In these incidents, NSA systems automatically
pushed requests to providers that were based on data received by NSA in response to a prior
request. These incidents present intricate questions about the application of statutory terms to
the telephony infrastructure. 260
(TS//SI//NF) In the first set of CDR-specific incidents, NSA’s system automatically
requested a second hop of data based off , rather than the ultimate
recipient of a call. 261 Note, however, that the statute does not actually use the colloquial term
“hop.” Rather, the relevant text of the statute permits a FISA court order issued under the Act to
“provide that the Government may require the prompt production of a second set of call detail
records using session-identifying information . . . identified by the specific selection term used”
as the basis for the first request for CDRs. 262 The question is thus whether is
the type of information the government can use to “require the prompt production of a second set
of call detail records”; that is, in statutory terms, whether constitutes
257 (U) See Part II(B)(1).
258 (U) Part II(B)(2)(a).
259 (U) Part II(B)(2)(b).
260 (U) Adding an additional layer of complexity, the relevant provision of the statute is addressed not to the agency,
but to the FISA court, specifying what an order issued under the CDR provision may and must contain. 50 U.S.C.
§ 1861(c)(2)(F) (“An order under this subsection . . . shall authorize the production on a daily basis of call detail
records . . . [shall] provide that the Government may require the prompt production of a first set of call detail records
. . . [shall] provide that the Government may require the prompt production of a second set of call detail records
using session-identifying information . . . identified by the specific selection term use to produce [the first set of] call
detail records[.]”). Those statutory terms are then incorporated by the court in the primary orders issued to the
agency and secondary orders issued to providers. The Board is not aware of any FISA court opinions that address
the compliance incidents discussed here and their implications for compliance with the statute or relevant court
orders.
261 (U) Re: Preliminary Notice of Compliance Incident Regarding Applications of the Federal Bureau of
Investigation for Orders Requiring the Production of Call Detail Records, Various Docket Numbers (Nov. 22, 2017).
262 (U) 50 U.S.C. § 1861(c)(2)(F)(iv).
49
TOP SECRET//SI//NOFORN
