Skip Navigation

NSA Data Collection: A Legal Dance

Following the revelation that the NSA was collecting phone records of millions of customers, how did the FBI and NSA maneuver rules and regulations to collect, mine, and use collected data?

Crossposted on Balkinization.
Many questions remain about the revelations that the NSA has been receiving the phone records of all of Verizon’s domestic customers, almost in real-time, apparently for the past seven years. Among them are the fact that while it’s the FBI that asked the secretive Foreign Intelligence Surveillance Court to order Verizon to provide the records, the leaked FISC order indicates that all of the data goes the National Security Agency. [A quick caution: Readers with security clearances who weren’t permitted to review Wikileaks documents may not want to read the order, as it’s highly classified.]
So why do the documents go to the NSA? The obvious answer is that the NSA has the biggest computing and data-crunching capacity around, and this is a LOT of data. There are some interesting legal quirks that arise from this bisected approach, though. This post attempts to walk through them – and I welcome corrections or comments if I’ve gone off-course somewhere.
Let’s start with the order. It was issued under Section 215 of the Patriot Act, also known as the “business records” provision. Under Section 215, the FBI (and only the FBI) can ask the FISA Court to issue a secret order requiring a business to produce “any tangible things” (records, documents, etc.). The application for the order must be supported by a statement of facts showing that the records are “relevant” to an authorized counterterrorism or counterintelligence investigation (or an investigation to obtain foreign intelligence information not concerning a U.S. person, which doesn’t seem relevant here). So the FBI has to identify a specific investigation to which these records are relevant, and it must be a predicated investigation, not an “assessment” (which is the ostensibly low-level but quite intrusive authority under which the FBI investigated Tamerlan Tsarnaev).  
The statute also requires the Attorney General to adopt minimization procedures (retention and dissemination limitations) for the materials the FBI receives. This requirement only kicks in, however, when the FBI receives information in response to the order. And the FBI doesn’t receive this information: the NSA does.  
So that gets us to the NSA. Executive Order 12333, issued in 1981 by President Reagan, generally governs how intelligence agencies collect and use information about U.S. persons (citizens and lawful permanent residents, plus many corporations). EO 12333 seems to authorize fairly generous collection, retention, and dissemination of U.S. person information, as long as (among other things) the information is “obtained in the course of a lawful foreign intelligence, counterintelligence, … or international terrorism investigation.” That is, the kind of investigation for which a section 215 order is available.
Under EO 12333, the head of each intelligence agency must issue minimization procedures detailing the permissible collection, retention, and dissemination of information about U.S. persons, including information gathered during a counterintelligence or counterterrorism investigation, which is presumably what’s involved here.
For the NSA, those minimization procedures would be Department of Defense regulation 5240.1-R, which seem to be *more* restrictive than EO 12333. That is, these procedures don’t say that any information can be collected as long as it’s relevant to a counterterrorism or counterintelligence investigation. Instead, they say information can be collected about a U.S. person only if (1) the information constitutes foreign intelligence (basically information about foreigners) AND (2) the U.S. persons are “reasonably believed to be engaged or about to engage, in international terrorist … activities.” (There are a few other circumstances, which I don’t think are relevant here.) If the information constitutes counterintelligence (information gathered to protect against various foreign activities) rather than foreign intelligence, the U.S. persons must be “reasonably believed to be engaged in, or about to engage in, intelligence activities on behalf of a foreign power, or international terrorist activities.” So the people whose information is collected by the NSA need to be actively engaging, or about to be engaged in something nefarious – they can’t just be vaguely relevant to an investigation.
However, as others have noted as well, the regulations have a particularly restrictive and somewhat peculiar definition of collection: “data acquired by electronic means” is collected ONLY “when it has been processed into intelligible form.” This has two implications. First, this might be why the FISA order specifically directs Verizon to send the NSA an electronic copy of the data: so that the production doesn’t automatically trigger the “collection” restrictions. (Plus, of course, it would be crazy to ask for a hard copy.) And second, as long as there’s just a huge data dump sitting there, unprocessed, the NSA hasn’t “collected” information, and thus doesn’t yet have to comply with the restrictions of the DOD regulations .
Once the NSA processes it – for instance, by searching for calling patterns and communities of interest related to people the FBI or NSA identifies as being “reasonably believed to be engaged in international terrorist activities” – it’s been collected. At that point, though, it’s fine, because that targeting satisfies the regulation. This would help explain statements by Senate members implying that the NSA doesn’t do anything with the information until it gets specific names. (Of course, some of those senators are also making laughable pronouncements that information has been collected “only on bad guys.”) 
There’s one problem (and maybe more) with this line of argument: how does the NSA process ONLY the information it’s searching for? Doesn’t it have to process a large batch of information in order to conduct the search within the data, which would then involve collecting more than just the information permitted by the DOD regulations? The NSA does, though, have to get around the 5240.1-R collection limitations in some way, since otherwise the collection of phone data on every single person in the U.S. would seem a wee bit overbroad. So maybe this legal and technological footwork is the way it does it – and in the meantime, the FBI has neatly sidestepped its own minimization obligations by not receiving information under the section 215 order. (Of course, we don’t know what information the NSA is feeding back to the FBI after it processes the data – but perhaps the FBI argues that at that point, it’s not receiving information “in response to” the original order.)
There’s one other interesting note. Under EO 12333, the NSA is required to use the “least intrusive collection technique feasible” where Americans are concerned. But by the time the NSA comes into play, they’ve got everything – so the only question is what technique they use to burrow in on the relevant information, not what they do to capture the whole dataset. The FBI, which makes the original request, is also required to use the least intrusive method available, and one would think a FISA Court judge might inquire whether there’s a very slightly less intrusive method than obtaining the entire country’s calling information. But conveniently, the Attorney General Guidelines that Michael Mukasey issued in 2008 add that the FBI “shall not hesitate to use any lawful method,” as long as it’s warranted, “particularly … in investigations relating to terrorism.” So the NSA gets to obtain information in a more intrusive way than it might otherwise be allowed, since the FBI is the one doing the asking.

Photo by beaufour.