Page 53 - pclob usa freedom
P. 53

TOP SECRET//SI//NOFORN




               “session-identifying information . . . identified by the specific selection term used to produce”
               the first set of CDRs. 263
                       (U) Although the statute does not define “session-identifying information,” it does
               provide a non-exclusive list of examples, specifying that “call detail record” means, among other
               things, “session-identifying information (including an originating or terminating telephone
               number, an [IMSI] number, or an [IMEI] number).”  264   The word “including” indicates that these
               enumerated examples are illustrative, not exclusive.  Accordingly, “session-identifying
               information” might include other things too. 265

                       (TS//SI//NF) But what other things?  Could                    used to connect a call
               constitute “session-identifying information” under the statute?


                                                                                      Furthermore, the statute
               excludes from its examples of session-identifying information other information that is part of a
               CDR, specifically “a telephone calling card number, or the time or duration of a call.”  On the
               other hand, reading the phrase “session-identifying” to encompass only information about the
               endpoints—one possible attribute of a session, but not the only one—would effectively
               transform “session-identifying” into “user-identifying” or “endpoint-identifying.”  Without more
               specific language in the statute, it remains uncertain whether the use of                as
               “session-identifying information” would have been appropriate under the statute as the basis for
               a request for a second set of CDRs.  Moreover, this statutory question must be considered
               alongside other textual features of the Act, including Congress’s prohibition on the bulk
               collection of metadata.

                       (TS//SI//NF) In the end, however, the agency adopted a narrow reading of the statute and
               acted accordingly, ending the inadvertent                        collection, deleting the
               records it produced, and notifying the FISA court. 266






               263  (U) 50 U.S.C. § 1861(c)(2)(F)(iv).
               264  (U) 50 U.S.C. § 1861(k)(3).  A FISA court opinion predating the USA Freedom Act similarly defined session-
               identifying information as including, “e.g., originating and terminating telephone number, communications device
               identifier, etc.”  FISC Order No. 2007-10, at 2 (May 3, 2007).
               265  (U) See, e.g., Federal Land Bank of St. Paul v. Bismarck Lumber Co., 314 U.S. 95, 100 (1941) (“[T]he term
               ‘including’ is not one of all-embracing definition, but connotes simply an illustrative application of the general
               principle[.]”).
               266  (U) Another intricacy here is that NSA was unaware of the underlying infirmities in the first-hop results when its
               system automatically pushed them out to providers as the basis for second-hop collection.  Whatever the legal
               significance of this fact for purposes of assessing NSA’s compliance with court orders, NSA took prompt corrective
               action once it became aware of the problem.  See Re: Supplemental Notice of Compliance Incident Regarding

                                                             50




                                                TOP SECRET//SI//NOFORN
   48   49   50   51   52   53   54   55   56   57   58