Page 58 - pclob usa freedom
P. 58

TOP SECRET//SI//NOFORN


                       (U) Two distinctive features of two-hop collection affect the type of records exposed to
               those risks.  The first arises from the possibility of errors in first-hop results.  In a two-hop
               program, errors in first-hop records, if not caught and corrected, could lead to the collection of a
               large number of second-hop records that should not have been collected.  For example, if a
               technical error caused a first-hop record to include an incorrect phone number as the call
               recipient, all second-hop records associated with that number could be erroneously collected.  In
               a one-hop program, a human agent or analyst would identify relevant first-hop results to use as
               the basis for seeking additional collection; this potentially lessens (although does not eliminate
               entirely) the risk of erroneous additional collection based on first hops.

                       (U) The second distinctive feature of two-hop collection is that the government is likely
               to receive far more second-hop records, which include information about individuals who are
               indirectly connected to the target, than first-hop records, which relate to the target and the
               target’s direct contacts.  The result is that in a two-hop program, any privacy risks arising from
               the collection disproportionately affect individuals with no direct connection to the
               individualized suspicion on which the surveillance rests.

                       (U) These two distinctive features of two-hop collection manifested themselves during
               the life of the CDR program.  At several points, incorrect first-hop results returned by providers
               were automatically used as the basis for second-hop requests. 284   (Once these incidents were
               discovered, NSA notified the FISA court and deleted the resulting data.)  With respect to
               volume, 14 orders produced more than 400 million records in 2018, and NSA has acknowledged
               the exponential growth in the number of records that results from adding a second hop. 285

                       (U) The Board is not aware of any instances in which the abuses described above as
               potentially arising from large-scale data collection—breaches, leaks, theft, and so forth—
               materialized during the short life of the CDR program.  The Board has no information suggesting
               that CDRs were leaked, breached, or misused by anyone within the agency.  NSA implemented
               technological and process controls, discussed below, to reduce the risk of loss or misuse of
               CDRs.

                       C.     (U)  Program Limits and Controls


                       (U) The program operated subject to statutory limits, internal controls, and oversight,
               both within NSA and outside the agency.  By statute, NSA may only seek CDRs based on seed
               numbers relevant to an authorized investigation to protect against international terrorism. 286   The

               284  (U) See Part II(B)(2).

               285  (U) 2018 Statistical Transparency Report at 28–30.
               286  (U) 50 U.S.C. § 1861(b)(2)(C).  This collection limitation aligns with the data-minimization principle of the Fair
               Information Practice Principles (FIPPs), which states that “organizations should only collect [personal information]

                                                             55


                                                TOP SECRET//SI//NOFORN
   53   54   55   56   57   58   59   60   61   62   63