Page 6 - pclob usa freedom
P. 6

TOP SECRET//SI//NOFORN


                (U) Data-Integrity Concerns and Compliance Incidents


                       (U) The program experienced a series of compliance incidents and data-integrity
               problems, which led NSA to issue about a dozen notices to the FISA court since 2016.  After
               repeatedly discovering anomalies in the data it received, NSA suspended the collection of CDRs
                                                                                                       2
               in early 2019.  NSA subsequently deleted all CDRs collected under the USA Freedom Act.
                       (U) Some of the compliance incidents were of types that could have arisen in other
               intelligence or equivalent law enforcement collection authorities.  These include incidents
               involving information inadvertently omitted from a FISA court application, certain NSA officers
               who had access to data without required training, and a provider’s production of data beyond the
               end date of an order.

                       (TS//SI//NF) Other incidents raise questions unique to the contours of the USA Freedom
               Act.  Beginning in 2016, NSA identified a series of data-integrity problems related to
                                          and other data errors.  In most of these cases, NSA systems
               unknowingly relied on inaccurate first-hop data to determine which second-hop requests to issue.
               Additional compliance incidents arose from other data errors, such as overwriting of data fields
               with incorrect or unrelated data.

                       (U) These problems, taken together, contributed to NSA’s decision to delete the USA
               Freedom Act CDR data in 2018 and again in 2019, and its decision to eventually suspend the
               program.

               (U) Findings


                   •  (U) Based on a review of the facts, the Board determined that the compliance incidents
                       were inadvertent, not willful.


                   •  (U) NSA took steps to remedy each compliance incident, including notifying appropriate
                       oversight entities, imposing additional limits on data requests, and deleting erroneously
                       obtained data.

                   •  (U) In response to each compliance incident that raised questions about the scope of
                       permitted collection under the statute, NSA chose to follow a narrower, rather than a
                       more expansive, understanding of its authority under the USA Freedom Act.




               2  (U) Whenever NSA deleted USA Freedom Act CDRs, it did not delete underlying data that had been used in
               disseminated intelligence reporting or data that was considered “mission management related information.”  This
               was consistent with NSA’s minimization procedures.  See Nov. 2015 Minimization Procedures Used by the National
               Security Agency in Connection with the Production of CDRs Pursuant to Section 501 of the Foreign Intelligence
               Surveillance Act, as amended (“NSA Minimization Procedures for CDRs”).
                                                              3


                                                TOP SECRET//SI//NOFORN
   1   2   3   4   5   6   7   8   9   10   11