In the waning hours of the day on Friday, May 4 – four days later than was statutorily required – the Office of the Director of National Intelligence (DNI) released its annual transparency report. This mandatory report, summarizing certain intelligence agencies’ surveillance activities in 2017, is one of the most important results of the USA FREEDOM Act of 2015. However, the dramatic increase in the government’s collection and searches of Americans’ communications data that is detailed in the report raises serious questions about whether the intelligence community is adhering to Congress’ intent when it passed these laws, or if its interpretations of what surveillance the laws authorize is overly aggressive.
Those questions aside, the data in this report make three things very clear: First, privacy advocates were justified in their calls for sweeping Section 702 reforms and in their rebuke of Congress when it failed to enact them. Second, the USA FREEDOM Act may not have delivered the strong reforms its sponsors expected. And third, while the intelligence community has taken steps towards being more transparent, they have been baby steps and the data shared require additional context and detail to constitute meaningful transparency.
An increase in Section 702 collection and backdoor searches
When Section 702’s reauthorization was being debated in 2017, two of the leading issues on which privacy advocates sought reforms concerned the scope of who could be targeted for surveillance, and so-called backdoor searches, where the intelligence community warrantlessly searches data collected under Section 702 for Americans’ communications. Congress recently reauthorized Section 702 for six years without making any meaningful reforms. This most recent transparency report shows dramatic increases in both the number of targets and the extent of warrantless searches, and therefore reinforces the concerns that animated calls for reform.
Under Section 702, the NSA may target any foreigner abroad, so long as they may have “foreign intelligence information,” which is broadly defined to include information related to U.S. foreign affairs, even where there’s no nexus to national security. The number of targets increased by 21% over 2016, growing from 106,469 targets to 129,080. Since 2013, the first year for which numbers were disclosed, the number of targets has increased by 45%. These statistics increase the urgency of one of privacy advocates’ burning questions: Is Section 702 used to target not only terrorists, spies, and others who pose threats to or have information important to U.S. national security, but also growing categories of people who may be plugged into foreign affairs, like foreign activists, journalists, religious leaders, or business people? If not, what accounts for this dramatic rise?
The statistics on backdoor searches, the government’s practice of routinely and warrantlessly searching databases containing Section 702 communications for Americans’ information, as well as warrantlessly reviewing the contents and metadata of their communications, also showed stark increases. It is worth noting that this mandatory reporting is limited to the NSA, CIA, and National Counterterrorism Center (NCTC). The FBI is exempt from this transparency requirement even though it considers these warrantless searches of Americans’ communications a matter of routine in all criminal and foreign intelligence inquiries and the first step in any investigation. The NSA, CIA, and NCTC are permitted to conduct warrantless searches for foreign intelligence investigations. In 2017, those three agencies used 7,512 identifiers, like email addresses, that belonged to Americans to search through the contents of 702 information, though it’s unclear how many communications were searched and how many times searches for Americans’ communications contents were conducted. This represents a 42% increase over the number of Americans’ identifiers used for warrantless searches in 2016, and a 61% increase since reporting started in 2015. This again raises the very serious question of how broadly the intelligence community defines foreign intelligence. Are there thousands and thousands of Americans who are threats to the United States or who have information about U.S. national security? Or is this large number the result of an overly broad interpretation of the law?
A decrease in metadata searches
By contrast, the intelligence community’s searches and collection of metadata obtained pursuant to Section 702 and the FISA pen register statute both dropped precipitously. The NSA’s metadata searches for Americans’ communications that had been incidentally collected under Section 702 decreased from 30,355 total searches conducted in 2016 to only 16,924 in 2017. This is a particularly surprising number since between 2013 and 2016 the number of these searches had increased by 220%. The CIA and FBI do not report on this statistic.
Similarly, the NSA’s collection under the FISA pen register authority, which is also used to collect metadata from phone and internet communications, dramatically decreased from 60 orders targeting 41 individuals and 81,035 accounts, to 33 orders targeting 27 individuals and 56,064 accounts. Since reporting began in 2015, the NSA has decreased its use of this authority by almost two-thirds. Have these searches for information about Americans’ communications and FISA metadata collection been shifted under other authorities that do not require the same kind of reporting, such as Executive Order 12333 or the call detail record (CDR) collection authority? Or is there some other explanation? Whatever the reason, the marked decreases cannot be because the intelligence community suddenly decided that metadata are not important, since their collection of metadata under the USA FREEDOM Act’s domestic CDR authority actually exploded.
An explosion in requests for call detail records
In fact, the vast increases in collection of CDRs is one of the most striking and troubling new statistics in the transparency report. The CDR authority was meant to narrow and replace the bulk phone metadata collection program that the NSA ran under Section 215 of the Patriot Act, and that was revealed by Edward Snowden in 2013. Yet, the numbers suggest that these reforms may not be working as well as Congress intended. There were the same number of orders in 2016 and 2017 – 40 – and the number of targets of those orders decreased from 42 to 40. However, the number of records the NSA collected more than tripled from 151,230,968 records in 2016 to 534,396,285 in 2017. The number of accounts belonging to Americans that were searched for in those records increased by 40% compared to 2016, totaling 31,196.
The DNI’s report does note that many identifiers are counted multiple times because the NSA has been collecting duplicate records that it cannot identify, but this cannot account for a threefold increase in the number of call records collected in 2017. The significant increase also can’t be attributed to the change in the NSA’s collection practices following enactment of the USA FREEDOM Act. While the reforms prohibit bulk collection, advocates understood and former intelligence community officials noted that the Act could actually lead to the collection of more records. Under the earlier Section 215 program where the NSA held all the data itself, collection was limited to landlines, but after the USA FREEDOM Act was enacted, the NSA began collecting data associated with account identifiers like mobile phone and calling card numbers. Privacy advocates who supported the USA FREEDOM Act accepted this trade-off because while the collection increased in volume, it was also required to be targeted. However, the increase in collection resulting from the NSA’s expansion to targeting mobile numbers was reflected in the 2016 transparency report.
When asked why there was such a dramatic increase in CDR collection in 2017, the DNI offered several vague reasons, including the “dynamics of the ever-changing telecommunications sector,” but what does that mean? Was it because the NSA has broadened the types of communications that it considers to be covered by the CDR authority or the terms that it may use to target accounts for surveillance, or for entirely different reasons? One thing that the NSA could do to add clarity is fulfill its statutory reporting obligation to include an accounting of the number of “unique identifiers” that it collects on, such as phone numbers. The report states that “the government does not have the technical ability to isolate the number of unique identifiers within records received from the providers,” but does not explain why the government lacks this capability.
This transparency report provides important and valuable information about U.S. surveillance activities. But it also makes three things clear about the need for even greater accountability. First, Congress was derelict in its duty to pass meaningful reforms to Section 702 when it enacted the FISA Amendment Reauthorization Act in January; increasing numbers of people continue to be targeted under the broad scope of 702 surveillance and are subject to backdoor searches. Second, vast increases in the collection of CDRs show that the reforms of the USA FREEDOM Act likely require strengthening when Congress debates its reauthorization next summer. And third, it is not enough for the intelligence community to answer only the question “how many?” To provide meaningful transparency, it must also do much more to explain how it conducts surveillance, on what, and for what specific purposes. This additional context is critical to the intelligence community gaining and maintaining the public’s trust.