UPDATE September 14, 2018: This blog has been updated at the bottom to include information about two Senators’ reactions to the NSA’s call detail record deletion.
In late June, the NSA announced a magic trick—hundreds of millions of collected call records would disappear. Its lovely assistant? Straight from the agency’s statement: “Technical irregularities.”
These “technical irregularities” are part of a broad and troubling pattern within the NSA—it has repeatedly blamed its failure to comply with federal laws on technical problems purportedly beyond its control. EFF has a long history of criticizing Congress for giving the NSA broad authority for its surveillance programs, but allowing the NSA to flout what limits Congress has put on the programs because of vague “technical” issues is wholly unacceptable. If the NSA can’t get its technology in order, Congress should question whether the NSA should be conducting mass surveillance at all.
For example, the NSA is currently required to report numbers called “unique identifiers” in a transparency report compiled annually by the agency’s Office of the Inspector General (OIG). These numbers could help the public understand just how many Americans are burdened by NSA surveillance. But the NSA didn’t report the numbers this year, or the two years prior, because, according to the report, “the government does not have the technical ability.”
And in May 2018, the agency discovered that its massive telephone metadata surveillance program was surveilling too massively. During call detail record collection authorized under Section 215 of the Patriot Act, as amended by the USA Freedom Act of 2015, the NSA said it also collected records that it had no legal authority to obtain. Countless records were, in effect, illegally collected and stored for years. The NSA blamed this on “technical irregularities.”
The same “technical irregularities” that led to improper data collection also made it impossible to separate improperly collected call records from properly collected ones, the NSA claimed. Apparently unable to disentangle this techno-Gordian knot, the agency decided to just throw the whole thing out. All 685 million call detail records collected from telecommunications companies since 2015 would be deleted, the agency said. (Confusingly, even though the NSA said it found this problem “several months” prior, it waited until late May to act—and then took another month to tell the public what happened.)
Something is clearly amiss here. The NSA has repeatedly insisted to the American public and Congress that these call records are necessary for “national security,” and yet, the agency’s solution to discovering the over-collection was to delete everything it had grabbed for the past three years.
The NSA may blame its computer systems, but Senator Ron Wyden (D-OR), who sits on the Senate Select Committee on Intelligence, does not. Sen. Wyden instead blamed telecommunication providers for the over-collection, telling the New York Times:
“Telecom companies hold vast amounts of private data on Americans. This incident shows these companies acted with unacceptable carelessness, and failed to comply with the law when they shared customers’ sensitive data with the government.”
Because the NSA only offered a sparse, uninformative public statement, many questions are left unanswered. What technical problem did the agency actually discover? What was its root cause? How did the NSA originally identify the problem, and why did it take three years to find it? Considering Sen. Wyden’s comments, who is at fault for the over-collection? The companies? The NSA? Both?
Let’s not get lost here. Whether the NSA over-collected or the companies over-delivered is only tangential to the core problem—there are no legal consequences for violating the rules.
Most importantly, how is it that the NSA—which has consistently defended its mass surveillance as necessary for “national security”—decided that national security was not at risk when deleting these records? Does the NSA’s about-face mean that, as we’ve said for years, the agency doesn’t actually need to collect these types of records in the first place?
In a sense, the deletion of these records is good news. The fewer records the NSA has on us, the better. (Although the telecom companies’ troubling retention of these records remains). The warrantless collection of Americans’ private data is something EFF has fought for years, advocating for meaningful reform both in court cases and in legislation. We need more answers, and we need to stop letting the NSA blame “technical irregularities” for its failures, something it has done for years.
Between 2009 and 2017, the NSA cited technology failures for more than 15 violations of federal law regarding a separate NSA surveillance program that sweeps up Americans’ online communications including emails, web chats, and browsing history. According to released court opinions and documents, the NSA’s remedy to these technical failures is often unknown. The NSA could have fixed its errors, or it could have ignored them. We simply don’t know.
This lack of transparency only compounds the NSA’s irresponsibility in its failure to comply with the law. When the NSA has admitted a technical error, it has done next to nothing to explain the problem in any detail, why the problem is allegedly too hard to fix, or how the problem began in the first place.
For the NSA’s failure to report unique identifiers this year, the OIG transparency report offered a one-sentence explainer and then hand-waved the problem away, saying that, if anything, the statistics reported were “over-inclusive” because of potentially duplicated counts of single call records.
As for the agency’s mass deletion of call detail records, the public received no further explanation of the “technical irregularities” themselves. Instead, the NSA claimed that it had fixed the problem, and that all future call detail record collection would be compliant with federal law.
These statements mean little to us by now. Too often, the NSA has responded to its own mistakes and outside attempts at oversight with one of three options: neglect, denial, or misleading statements. We saw a similar reaction when, in 2015, Congress passed the USA Freedom Act, the first successful, legislative attempt to meaningfully restrict the NSA’s surveillance under Section 215—the very same program under which the NSA has now deleted hundreds of millions of call records.
Former NSA general counsel Glenn Gerstell initially expressed concern about the potentially “cumbersome” collection requirements under the USA Freedom Act, but, he still said:
“NSA is confident, however, that it can operate the new scheme in compliance with the law.”
We now see that this confidence was misplaced. Shame it took three years for us to find out.
With the NSA’s call record surveillance program up for reauthorization in 2019, we must demand meaningful explanations for the NSA’s failures, refusing to accept the agency’s bland assurances. We worry that meaningful reforms, even if successfully approved by Congress, could go ignored once again.
We ask the NSA to finally explain what is happening inside its databases, what is it doing to fix these continued problems, and what is it doing to protect the Fourth Amendment right of privacy of all Americans. Finally, Congress, we urge you to find out—if the NSA’s collection is so easily deleted, why can’t we stop it entirely?
Update: Last month, Senators Ron Wyden and Rand Paul sent a letter to NSA Inspector General Robert Storch asking his office to investigate many of the same concerns we wrote above. We thank the Senators for their work. You can read the letter here.