Page 59 - pclob usa freedom
P. 59
TOP SECRET//SI//NOFORN
agency’s minimization procedures, which were adopted by the Attorney General and approved
by the FISA court, limit when and for what purpose analysts may access USA Freedom Act
CDR data. 287 Specifically, NSA may only grant access to personnel who are trained on the
procedures and restrictions that govern the handling and dissemination of that data and who have
a need to know. 288 The procedures also prohibit NSA from retaining CDRs for more than five
years after they were delivered to NSA unless the relevant CDR contained information that
formed the basis for a foreign intelligence report. 289
(U) Internal policies and guidance impose further limits. 290 Queries could only be
initiated when “intended to determine or identify persons of foreign intelligence interest who
may be engaged in international terrorism,” and were subject to audit. 291 These limits and
controls played a role in mitigating the privacy risks posed by the program during its operation.
(U) Like other NSA activities, the USA Freedom Act CDR program was overseen by
various elements within NSA. The Board’s oversight, including demonstrations of NSA’s
compliance technology, indicates that the agency has made significant investments in internal
compliance and accountability processes. For instance, NSA had measures in place to ensure
that only the right people could see CDR program information on NSA’s systems and that those
people could use the information only for authorized purposes. Every query by an NSA analyst
is logged and later reviewed by a human auditor familiar with the analyst’s mission, and NSA
has deployed technology to augment the capabilities of these human auditors. Software
developers seek to build minimization and compliance rules into the design of the user interfaces
that analysts use, reducing the need to rely on human recall and judgment to ensure
that is directly relevant and necessary to accomplish the specified purpose(s)” of the collection. The White House,
National Strategy for Trusted Identities in Cyberspace, Appendix A (Apr. 2011),
https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf.
287 (U) The statute and minimization procedures limited the purposes for which data could be used. This speaks to
the FIPPs purpose-specification principle, which provides that entities should articulate the authority under which
personal information is collected and the purposes for which it is intended to be used. The White House, National
Strategy for Trusted Identities in Cyberspace, Appendix A (Apr. 2011).
288 (U) NSA USA Freedom Act Transparency Report at 6. These restrictions relate to the FIPPs principle of “use
limitation,” which provides that organizations should use personal data for the stated purposes and share it in ways
that are compatible with such purposes,” and the principle of “data quality”, which states that steps should be taken
to ensure that personal data is “accurate, relevant, timely, and complete.” The White House, National Strategy for
Trusted Identities in Cyberspace, Appendix A (Apr. 2011).
289 (U) NSA USA Freedom Act Transparency Report at 7.
290 (U) See Part II(A)(2).
291 (U) NSA USA Freedom Act Transparency Report at 13. Query limits reinforce the FIPPs principle of use
limitation. NSA’s training, compliance, and auditing practices address the FIPPs principle of auditing. See The
White House, National Strategy for Trusted Identities in Cyberspace, Appendix A (Apr. 2011).
56
TOP SECRET//SI//NOFORN
