August 02, 2018

Wyden, Paul Request Investigation of “Technical Irregularities” in NSA Metadata Program

Washington, D.C. – U.S. Sen. Ron Wyden, D-Ore., and Sen. Rand Paul, R-Ky., today asked a government watchdog to investigate the circumstances that led the National Security Agency to delete hundreds of millions of telephone records, following the discovery the agency improperly received records.

“When Congress passed the USA FREEDOM Act and ended the bulk collection of Americans’ phone records, it expected that mass surveillance would be replaced by a carefully controlled system that only obtained a limited set records described in the law,” Wyden said. “Congress and the American people need to know what went wrong before we make any decisions to continue these authorities.”

"Vital questions remain about how the NSA collects sensitive information, as well as how the agency has addressed its latest admitted violations of the law and Americans’ privacy. Our letter seeks answers to help ensure innocent Americans' rights are being respected,” said Senator Paul.

Read the full letter here. Wyden and Paul asked the NSA Inspector General to launch an investigation that answers the following questions:

(1)   The telecommunications companies provide CDRs to NSA pursuant to court orders from the FISC under Section 501(b)(2)(c).  To what extent do these orders provide sufficient direction to the companies to ensure that they provide only CDRs the NSA is allowed by law to receive?

(2)   According to NSA’s Civil Liberties and Privacy Office’s January 15, 2016, report (“Transparency Report: The USA FREEDOM Act Business Records FISA Implementation”), “NSA and the provider(s) have conducted a significant amount of systems engineering and testing to ensure that CDRs produced under the USA FREEDOM Act are accurate, relevant, timely and complete.”  How can this systems engineering and testing assistance be improved to ensure that CDRs that are not responsive to orders are never sent to the NSA? 

(3)   The Civil Liberties and Privacy Office report also stated that “NSA’s minimization procedures for the telephone metadata acquired pursuant to the USA FREEDOM Act require the Agency to inspect CDRs received from a provider through manual and/or automated means to confirm that the CDRs are responsive to the FISC’s production order.”  In what ways were the minimization procedures insufficient to ensure that NSA conducts this review on all CDRs and does so upon receipt of the records?  How is the implementation of these minimization procedures consistent with the statement in NSA’s June 28, 2018, announcement, that it is “infeasible to identify and isolate properly produced data”?

(4)   According to the ODNI’s Statistical Transparency Report for calendar year 2017 (April 2018), the telecommunications companies produced over half a billion (534,396,285) CDRs in response to 40 orders covering 40 targets.  To what extent has NSA’s implementation of minimization procedures intended to ensure that all CDRs are responsive to FISC orders been overwhelmed by the sheer volume of communications data provided to NSA under this authority?

(5)   NSA’s June 28, 2018, announcement stated that it has ensured that intelligence reports “were based on properly received CDRs.”  How did NSA arrive at that conclusion?  To what extent can CDRs be systematically reviewed for responsiveness and legality prior to their inclusion in intelligence reports?

(6)   Are CDRs electronically tagged so that NSA can easily associate them with targets and discern the number of “hops” from the targets?  If not, what are the challenges to such tagging?

(7)   Was the deletion of data sufficient to ensure that all unauthorized production was, in fact, deleted?

(8)   NSA’s June 28, 2018, announcement stated that “[t]he root cause of the problem has since been addressed for future CDR acquisition.”  Has the NSA adequately ensured, not only that the same unauthorized production will not reoccur, but also that systems are in place to prevent other technical irregularities from resulting in unauthorized production?

###