Page 55 - pclob usa freedom
P. 55

TOP SECRET//SI//NOFORN




               information derived from these providers into its long-term repositories—even though the
               Department of Justice believed that it could. 274
                       (U) Other data-integrity errors involved inaccurate data transmitted to NSA by providers.
               In one such incident, a provider overwrote certain CDR fields with unrelated data.  If the
               inaccurate fields were used as the basis for subsequent collection, it would raise the question
               whether an automated request for second-hop results based on irrelevant data returned by a first-
               hop request would constitute a request based on “session-identifying information . . . identified
               by the specific selection term used” in the first-hop request. 275   NSA responded by (1) notifying
               the FISA court to describe each of these data-integrity errors and (2) deleting all of the affected
               records.

                       (TS//SI//NF) Given the decision not to use the information obtained in incidents
               involving                                       , as well as the subsequent decision to suspend
               the program, the government never litigated to a conclusion complications surrounding these
               issues.  The agency’s decisions to err on the side of caution meant that abstract questions about
               the application of statutory text to these esoteric compliance incidents were never resolved.  At
               bottom, this analysis reveals an inherent indeterminacy in the statutory text, which incorporates
               terms (most notably, “session-identifying information”) whose precise meaning is hinted at but
               not conclusively defined.  NSA resolved statutory uncertainties related to compliance incidents
               by proceeding cautiously, opting to rely on narrow interpretations rather than more expansive
               alternatives.  Nevertheless, this experience counsels close attention to the range of potential
               meanings of statutory terms relating to technology by drafters, overseers, and agencies
               themselves.  This is particularly important when an agency will be tasked with applying these
               terms to large-scale data collection involving complex technical infrastructure whose precise
               contours may not yet be known.  Ultimately, these incidents serve mostly to illustrate the
               unanticipated complications that can arise even within a seemingly straightforward statutory
               framework.

















               274  (U) Supplemental Notice of Compliance Incident Regarding Multiple Dockets In Re Applications of the Federal
               Bureau of Investigation for Orders Requiring the Production of Call Detail Records (CDRs) Pursuant to Title V of
               FISA, as amended by the USA FREEDOM Act (Mar. 4, 2019).
               275  (U) 50 U.S.C. § 1861(c)(2)(F)(iv).
                                                             52




                                                TOP SECRET//SI//NOFORN
   50   51   52   53   54   55   56   57   58   59   60