Page 6 - pclob usa freedom
P. 6
TOP SECRET//SI//NOFORN
(U) Data-Integrity Concerns and Compliance Incidents
(U) The program experienced a series of compliance incidents and data-integrity
problems, which led NSA to issue about a dozen notices to the FISA court since 2016. After
repeatedly discovering anomalies in the data it received, NSA suspended the collection of CDRs
2
in early 2019. NSA subsequently deleted all CDRs collected under the USA Freedom Act.
(U) Some of the compliance incidents were of types that could have arisen in other
intelligence or equivalent law enforcement collection authorities. These include incidents
involving information inadvertently omitted from a FISA court application, certain NSA officers
who had access to data without required training, and a provider’s production of data beyond the
end date of an order.
(TS//SI//NF) Other incidents raise questions unique to the contours of the USA Freedom
Act. Beginning in 2016, NSA identified a series of data-integrity problems related to
and other data errors. In most of these cases, NSA systems
unknowingly relied on inaccurate first-hop data to determine which second-hop requests to issue.
Additional compliance incidents arose from other data errors, such as overwriting of data fields
with incorrect or unrelated data.
(U) These problems, taken together, contributed to NSA’s decision to delete the USA
Freedom Act CDR data in 2018 and again in 2019, and its decision to eventually suspend the
program.
(U) Findings
• (U) Based on a review of the facts, the Board determined that the compliance incidents
were inadvertent, not willful.
• (U) NSA took steps to remedy each compliance incident, including notifying appropriate
oversight entities, imposing additional limits on data requests, and deleting erroneously
obtained data.
• (U) In response to each compliance incident that raised questions about the scope of
permitted collection under the statute, NSA chose to follow a narrower, rather than a
more expansive, understanding of its authority under the USA Freedom Act.
2 (U) Whenever NSA deleted USA Freedom Act CDRs, it did not delete underlying data that had been used in
disseminated intelligence reporting or data that was considered “mission management related information.” This
was consistent with NSA’s minimization procedures. See Nov. 2015 Minimization Procedures Used by the National
Security Agency in Connection with the Production of CDRs Pursuant to Section 501 of the Foreign Intelligence
Surveillance Act, as amended (“NSA Minimization Procedures for CDRs”).
3
TOP SECRET//SI//NOFORN