NSA's First Post-USA Freedom Act Report Shows It Can Still Turn Transparency Into Opacity

The NSA has released its first post-USA Freedom Act "Transparency Report," highlighting the changes made to its bulk records collection as a result of the legislation. The NSA is now limited to approaching service providers for records using RAS (Reasonable Articulable Suspicion)-approved selectors, rather than simply gathering everything and sorting through it at its convenience. That being said, it still performs a certain amount of "selecting" in the dark, using collected data held on its own servers. While the number of "hops" it's able to perform from its original RAS-approved selector has been limited, it may be able to perform more expansive contact chaining thanks to its own analytic processes, which are removed from FISA Court oversight. Julian Sanchez, writing for Just Security, notes that the NSA is indeed complying with the new law's limitations on contact chaining.

The report’s definition of “one hop” and “two hop” results clarifies that they are interpreting the statute as Congress intended: The “results” generated in response to a specific selector will encompass only particular numbers in direct contact with that selector, as opposed to any numbers that might show up on (say) the same monthly phone bill.

However, this doesn't necessarily mean the NSA is limiting itself to contacts once or twice removed from numbers in direct contact with RAS-approved selectors. Sanchez points out that there's no way to tell exactly what the NSA is doing with its collected records before approaching service providers for data on contacts further down the chain.

There are two notable consequences to this procedure. On the one hand, at least on its face, it would seem to preclude NSA from requiring the phone carriers to conduct “chaining” between the first and second hop using data (such as, for instance, location information or billing addresses) possessed by the telephone carriers but not produced to NSA, because it falls outside the scope of USA Freedom’s relatively narrow definition of Call Detail Records. On the other hand, it makes the process of generating the list of one-hop selectors to be used by carriers as the basis for production of second-hop Call Detail Records effectively a black box under NSA’s control. The first list of “specific selectors” will consist of phone numbers or other identifiers that the Foreign Intelligence Surveillance Court has verified are linked to a foreign power (or agent thereof) engaged in international terrorism. But the second list — the basis for production of those second-hop Call Detail Records — will be generated by NSA itself, using its massive array of internal databases and its own definition of what it means for two numbers (or other identifiers) to be in “direct contact.”

So, that's a concern and one that's incredibly hard to track, as the NSA's transparency reporting obscures the number of selectors queried. Not only that, but despite the report continually referring to "call records" and "telecommunications providers," there's nothing in the program that limits the NSA to collecting only telephone call metadata. Marcy Wheeler points out that a "selector" could be almost anything and return -- instead of numbers dialed or received -- information that could be used to track other activity.

What this means, in effect, is that NSA and FBI (the latter does the actual application) will get a specific identifier — which could be a phone number, a SIM card number, a handset identifier, or a credit card, among other things — approved at the FISC, then go back to at least NSA’s data (and quite possibly FBI’s), and find all the contacts with something deemed to “be” that identifier that would be meaningful for a “phone company” to query their own records with, up to and including a cookie (which is, by definition, a session identifier).

The ambiguity surrounding the term "selector" will not be made any less ambiguous by the NSA's reporting.

Given the breathtaking variety of selector types the NSA uses, this could represent a great deal of queries on the provider side, many tracking user activity rather than user communications. And, at least given how the privacy report describes the transparency reporting, neither those interim NSA selectors nor cookies showing user activity but not communication of information would get counted in transparency reports.

This is how the NSA will be reporting data on selectors, targets and records returned: