Page 87 - pclob usa freedom
P. 87
TOP SECRET//SI//NOFORN
communications that precede the commercial internet (not to mention the smartphone) exemplify
these risks. 368
(U) The impact on intelligence and privacy of the changes wrought by the USA Freedom
Act is particularly difficult to assess. For example, under the bulk collection program NSA
approved only about 300 query terms in 2012. Yet under the USA Freedom Act, which
prohibited bulk collection of call detail records, 164,682 US person query terms were run against
NSA’s data last year alone, perhaps in part because queries no longer required pre-approval
either from designated agency officials or from the FISA court. 369 At the same time, the number
of intelligence reports dropped precipitously from one program to the next. In the three-year
period between 2006 and 2009, NSA issued 277 intelligence reports—more than ten times the
number produced during the life of the USA Freedom Act CDR program. It’s not immediately
obvious to us how to compare bulk collection with limited querying against more limited
collection with more extensive querying; we also do not know if the drop in reports was due
largely to changes in technology. At a minimum, though, it strikes us that a case can be made
that the USA Freedom Act rendered the collection of CDRs less operationally valuable while
augmenting the very privacy concerns it sought to lessen.
*
(U) The threats we face have not abated and technology continues to evolve. We
encourage legislators to work with the executive branch as well as technology experts to
understand any gaps in current authorities and how technology may be leveraged to better protect
privacy while respecting national security imperatives. 370 To retain operational value over time,
368 (U) For example, the Electronic Communications Privacy Act addresses the interception of electronic data and
access to stored communications. But it was passed in 1986 and contains provisions that lead to counterintuitive
results with modern technology. It allows the government to use a subpoena to obtain emails and similar electronic
messages if they are stored on a third-party server for more than 180 days, but requires a warrant to access the same
emails if they were in storage for a shorter period of time. 18 U.S.C. § 2703(a)–(d).
369 (U) To be sure, as noted in Part III(B), this number is inflated because of the manner in which NSA tracks and
counts queries; many of the 164,682 query terms would never return USA Freedom Act CDRs. However, that
number is still over 500 times higher than the number of annual query terms during the operation of the bulk
program. Even substantial overcounting would not appear to make up for the difference.
370 (U) Our colleagues suggest that a multi-hop metadata program not limited to telephony metadata could never
prove more valuable than the CDR program. See Statement of Ed Felten and Travis LeBlanc at 77. On the basis of
this record, none of us can know. In light of the theoretical advantages of multi-hop analysis we have described
above, it should be unsurprising that the intelligence community has identified contact-chain analysis as a significant
tool that is worth the cost of collection and compliance under appropriate circumstances. Perhaps, though, we agree
on more than we disagree. Our colleagues say there “is and will continue to be significant intelligence value in first-
hop communications metadata, and in additional hops where there is specific analytical justification for acquiring
them.” Statement of Ed Felten and Travis LeBlanc at 77–78 (emphasis added). It seems we agree that there is value
in exploring that potential.
84
TOP SECRET//SI//NOFORN
