Case: FISA Docket PR-TT ---- (Walton, J.) (February 2009)

For the Civil Rights Litigation Clearinghouse collection of FISA matters, see our special collection.

On November 18, 2013, the Director of National Intelligence authorized the declassification and public release of numerous orders approving the National Security Agency's ("NSA") so-called "Bulk Internet Metadata Program" under Section 402 of the Foreign Intelligence Surveillance Act of 1978 ("FISA"), commonly referred to as the Pen Register and Trap and Trace (PR/TT) provision, or Section 214 of the USA PATRIOT Act. On August 11, 2014, the Director of National Intelligence authorized another declassification and public release of additional documents regarding the now-discontinued NSA Bulk Electronic Communications Metadata Program pursuant to Section 402 of FISA.

Under the program, the NSA collected records from large telecommunication companies about electronic communications metadata. These records included the "to," "from," "cc," and "bcc" lines of an email and the email's time and date. The program did not authorize the collection of content of any electronic communications. Once collected, the records were stored for several years and were authorized to be queried, used, and disseminated only in accordance with "minimization rules" proposed by the government and approved by the Foreign Intelligence Surveillance Court ("FISC"). The most basic aspect of the minimization rules was that the metadata records were to be queried only when there was a reasonable suspicion, based on specific and articulated facts, that the identifier used as the basis for the query was associated with specified foreign terrorist organizations.

NSA collection of email metadata began in 2001, as part of the "President's Surveillance Program." Apparently the government took the position that internet metadata could be collected lawfully without court order because the NSA did not actually "acquire" communications until particular items were selected for review, after they showed up via query. But after Department of Justice lawyers raised objections to this theory, and accordingly to the program's legality, the Attorney General sought judicial ratification of the internet metadata program under the FISA pen/trap provisions, and the FISA Court blessed it in an order dated July 14, 2004. Except for a brief period in 2009, the FISC reauthorized the program approximately every 90 days until the Obama administration discontinued it in 2011. As of April 2014, only three FISC opinions and four FISC orders related to the internet metadata collections program have been released. All the opinions and orders have been significantly redacted. They nonetheless explain a good deal about how the program worked.

The volume of material collected was "enormous" from its beginning, as the first of these opinions explains. At the start, the government aimed "to build a meta data archive that will be, in relative terms, richly populated with [redacted] related communications." As the Court reported the government's initial intentions, "[s]ome proportion of these communications-less than half, but still a huge number in absolute terms-can be expected to be communications [redacted] who bear no relation to [redacted]." In 2009 or 2010, however, the government "in comparison with prior dockets, [sought] authority to acquire a much larger volume of metadata at a greatly expanded range of facilities." The growth in volume and scope included extending collection beyond the "streams of data with a relatively high concentration of Foreign Power communications" that had previously been the focus. Until the program ended, in 2011, the pen/trap bulk collection began to reach "electronic communications, the vast majority of which, viewed individually, are not relevant to the counterterrorism purpose of the collection, and many of which involve United States persons."

The FISC initially approved the internet metadata program in 2004 in an opinion by Judge Colleen Kollar-Kotelly under docket PR-TT [redacted].

On January 28, 2009, in the FISC matter BR 08-13, FISC Judge Reggie Walton issued an order requiring the government to submit a report by February 15 detailing compliance issues relating to the telephony metadata program, under FISA Section 215. Judge Walton also ordered the NSA to check the Internet metadata program for similar problems and report back.

Between February 3, 2009, and February 13, 2009, the government submitted an application for renewed authorization to install and use pen registers and trap and trace devices for foreign intelligence purposes. With the application, the government submitted a declaration of Michael E. Leiter, Director of the National Counterterrorism Center (NCTC). This application differed from prior (undisclosed) applications in four ways:

• First, the application included additional oversight mechanisms that the government would implement.

• Second, a new approving official, the "Chief, Special Foreign Intelligence Surveillance Act Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, National Security Agency," replaced the "Signals Intelligence Directorate Deputy Program Manager for Counterterrorism Special Projects Analysis and Production."

• Third, references to an "archive" were deleted or replaced as appropriate.

• Fourth, the government added footnote 11 to the application and footnote 5 to the proposed Primary Order to make clear it that NSA technical personnel were allowed to access the data in order to perform certain technical processes to make the data usable by analysts. The restrictions on access were not meant apply to those technical processes.

Also included with the application was a heavily redacted Declaration of the NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate. This official oversees the implementation of the FISC's pen register and trap and trace authorizations. This official described the use of web-based services by terrorist organizations, the availability of Internet communications in the U.S., the data the NSA seeks to access, the random spot checks conducted by the NSA, the small proportion of Internet bandwidth that the NSA will obtain, why the NSA seeks access to this amount of data, and the internal controls/minimization procedures.

Included with the declaration were additional exhibits in a single document entitled "Tab 1". The government included a 90-day report as Exhibit B. In a (not so-far disclosed) previous primary order, the FISC had ordered the government to regularly submit reports discussing the queries that have been made of the metadata collected under the authority granted by the FISC, any new facilities proposed to be added to such authority, and any changes in the proposed means of collections. Additional content is required but has been redacted. Also included is a memo from the NSA to the National Security Division regarding meetings to assess compliance with the FISC orders and the steps taken by the NSA to assess compliance with the order so far and the its progress in implementing remedial steps.

On February 13, 2009, the government responded to the January 28 FISC order that required the government to affirm that it was exercising authority only in accordance with the primary order or to report any deviations from that authority. In the response, the government concluded that it was complying with the FISC's orders except for one particular method for the approval of an email address as a querying seed. The government stopped using this method after this conclusion. The government also assured the FISC that it was adopting additional oversight procedures to ensure compliance with the FISC's orders. Along with the response, the government submitted a Declaration of Lieutenant General Keith B. Alexander, U.S. Army, the Director of the NSA.

After reviewing the government's application, FISC Judge Reggie Walton issued a primary order granting the government's application for authorization for 90 days. This was sometime after February 13, 2009. The last released primary order that can be compared to this primary order comes from the initial authorization in July 2004, FISA Docket PR-TT ---- (Kollar-Kotelly, J) (2004). In the 2009 primary order, Judge Walton requires the NSA to perform metadata queries only in accordance with a previous non-disclosed FISC order. In addition, the number of NSA officials who can approve queries grew from 3 in the 2004 order to 23 in this order. There was also a new provision on page 10 that allowed metadata from certain emails to be queried without approval; the exact requirements have been redacted. Also on page 10, Judge Walton ordered the government not to resume two discontinued processes that the government described in the non-disclosed 90-Day Report attached to the Application at Tab B. There is no additional information regarding these two processes. This order also requires the government to conduct random spot checks to ensure that the collection is in compliance with the FISC orders. Judge Walton also ordered the government to destroy all metadata no later than four and a half years after its initial collection. Increased oversight also included a report every thirty days discussing the new queries that had been made and any changes to the process. Starting on page 13, Judge Walton also listed the additional oversight mechanisms to ensure compliance with FISC orders that the government described in their Response.

Judge Walton's approach to the internet metadata collection program compliance issues was similar to how he handled the phone data collection program compliance issues in the FISC matter BR 08-13. In that matter, Judge Walton authorized continued collection of phone data collected under Section 215, but found in March 2009 that the government had not complied with court-ordered procedures to protect the data. In the order, Judge ruled that government could continue collecting the data, but the government could not access the data until it put in place necessary safeguards. In particular, the government had been accessing the telephony records for the purpose of comparing it with thousands of phone numbers that had not met the reasonable articulable suspicion standard required for such comparisons under the applicable minimization rules. Judge Walton ruled that it need not cease acquisition of the data. However, Judge Walton did not permit the government to access the data until it was sufficiently assured that government developed the personnel and technological competency to access the data using minimization procedures.

Subsequently in the PR-TT matter, sometime before March 5, 2009, the government submitted a motion to unseal FISC documents in order to brief the Congressional Intelligence and Judiciary Committees. Judge Walton granted the government's motion. (We know these documents had to be before March 5, 2009, because on that day the government submitted significant FISC filings to the Congressional Committees.)

Compliance problems continued into 2009, and were the subject of the next matter with documents publicly released, from May 2009--FISA Docket PR-TT ---- (Walton, J.) (May 2009). The documents released for this next matter do not include the primary order. Rather, the documents released concern a compliance issue that the government reported and then a FISC supplemental order requiring the government to provide additional information regarding the compliance issue and to take steps to address the issue.