Page 57 - pclob usa freedom
P. 57
TOP SECRET//SI//NOFORN
mechanisms for analysts to annotate CDRs, and there was no mechanism
281
(U) Researchers have concluded that phone numbers can be combined with public data to
reidentify individuals with “trivial” effort, and that it “appears feasible—with further
refinement—to draw Facebook-quality relationship inferences from telephone metadata.” 282 The
feasibility of doing so augments the potential risks and harms associated with unauthorized users
and malicious actors who, if they had access to records, could de-anonymize CDRs or infer
sensitive data about individuals in that manner. However, as noted below, the Board is aware of
no instance in which USA Freedom Act CDR data was accessed by unauthorized or malicious
actors, and accordingly is aware of no instance in which this risk materialized during the life of
the program.
B. (U) Privacy Risks Arising from Two-Hop CDR Collection
(U) Unlike legal processes that allow the collection of one-hop CDRs (e.g., grand jury
subpoenas), the USA Freedom Act authorizes the collection of a second hop. A two-hop
program on this scale raises various privacy risks. Some could arise in any program that
involves the large-scale collection of sensitive data. Distinctive features of two-hop collection,
however, could have unique effects on the makeup of the dataset exposed to those risks.
(U) Specifically, privacy risks that arise from any large-scale collection of sensitive
datasets about Americans include the risk that authorized users could misuse their access to
view, steal, or leak sensitive data for personal, ideological, or other inappropriate ends; the risk
of theft or breach by unauthorized users or malicious outsiders; or the possibility that future
shifts in applicable law, policy, or available technology could alter the balance between privacy
risks and programmatic benefits. 283 Limits on retention, technological controls, and the agency’s
compliance culture play an important role in mitigating these risks, but cannot eliminate them.
While these risks are not specific to the USA Freedom Act CDR program, the exponential
increase in the scale of collection that results from adding a second hop expands significantly the
pool of data exposed to them.
281 (U) Of course, if an NSA analyst was using a particular CDR—for example, to write an intelligence report—he
or she may have used information from that CDR to find other data lawfully in NSA’s possession. Together with
the CDR, this could have revealed additional information about the originator or recipient of a call. Learning more
about the associates of people suspected of involvement in terrorism is, of course, one of the important purposes for
which NSA collects and analyzes this information in the first place.
282 (U) Jonathan Mayer, Patrick Mutchler, & John C. Mitchell, Evaluating the privacy properties of telephone
metadata, 113 PNAS 5536, 5538 (May 17, 2016), https://www.pnas.org/content/pnas/113/20/5536 full.pdf.
283 (U) For example, future statutory changes could expand the purposes for which NSA is permitted to use or share
the information. Technological changes could also create unanticipated risks; improved analytical tools might
allow, for example, the government to draw more sophisticated inferences from the data than is possible today.
54
TOP SECRET//SI//NOFORN
