Page 86 - pclob usa freedom
P. 86

TOP SECRET//SI//NOFORN




                       (U) Third, some compliance incidents were caused simply because telephone providers
               turned over incorrect data to NSA. 363   The government would appropriately request first- and
               second-hop data from a provider, only to receive data that did not meet the statute’s expectations.
               There are, of course, many authorities, such as the Pen Register Statute 364  and the Stored
               Communications Act,   365  under which the government seeks telephony metadata.  We do not
               know the number of compliance incidents under those separate authorities and whether the rates
               of incorrect data from providers under the CDR program were higher than rates under other
               programs.  We would like to know the numbers, and if any differences were due to unique
               features of the USA Freedom Act. 366   At a minimum, we believe the issue warrants further
               inspection.

                       (U) All the foregoing suggests that we should be wary of overly strict statutory regimes
               that limit technological flexibility; under some circumstances, rigorous use of oversight functions
               may even be superior in ensuring that government activities properly balance security and
               privacy interests.  The President ordered significant changes to the bulk telephony metadata
               program after internal executive review, and the Board reported that after one year (and prior to
               the passage of the USA Freedom Act) the government had “accept[ed] many of the
               recommendations” in its report. 367   Although these assessments did not occur until unlawful
               disclosures of the program led to public debate, that doesn’t mean we should reflexively seek
               answers in unduly prescriptive statutory regimes that offer little by way of technological
               flexibility to implementing agencies.

                       (U) To be sure, law is essential to ensuring that the government does not overreach and
               that our national security apparatus remains democratically accountable to the people.  Yet
               explicit and detailed codification of intelligence practices carries risk to both operations and
               privacy.  It carries operational risk when it is unduly rigid, given the ever-changing threats our
               country faces.  And it carries risk to our civil liberties when it serves as a continued source of
               positive authority even as technology evolves.  Some of the laws governing access to electronic





               363  (U) See Letter from Daniel Coats, Director of National Intelligence, to Senators Richard Burr, Lindsey Graham,
               Mark Warner, and Dianne Feinstein (Aug. 14, 2019) (noting “the unique complexities of using these company-
               generated business records for intelligence purposes”).

               364  (U) 18 U.S.C. § 3121 et seq.
               365  (U) 18 U.S.C. § 2701 et seq.
               366  (U) It is possible the error rate under the USA Freedom Act CDR program was either higher or lower than is
               found in records collected under other authorities.  Given time limitations, we were unable to determine if it was
               even feasible to answer this question, never mind account for any differences in the error rate.
               367  (U) Privacy and Civil Liberties Oversight Board, Recommendations Assessment Report 1 (Jan. 29, 2015),
               https://www.pclob.gov/library/Recommendations_Assessment-Report.pdf.

                                                             83




                                                TOP SECRET//SI//NOFORN
   81   82   83   84   85   86   87   88   89   90   91