NSA black hole: 5 things we still don't know about agency's snooping
This story was originally published by ProPublica.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
Last week saw revelations that the FBI and the National Security Agency have been collecting Americans’ phone records en masse and that the agencies have access to data from nine tech companies.
But secrecy around the programs has meant even basic questions are still unanswered. Here’s what we still don’t know:
Has the NSA been collecting all Americans’ phone records, and for how long?
It’s not entirely clear.
The Guardian published a court order that directed a Verizon subsidiary to turn over phone metadata -- the time and duration of calls, as well as phone numbers and location data -- to the NSA “on an ongoing daily basis” for a three-month period. Citing unnamed sources, the Wall Street Journal reported the program also covers AT&T and Sprint and that it covers the majority of Americans. And Director of National Intelligence James Clapper himself acknowledged that the “collection” is “broad in scope.”
How long has the dragnet has existed? At least seven years, and maybe going back to 2001.
Senate Intelligence Committee chair Dianne Feinstein, D-Calif., and vice chair Saxby Chambliss, R-Ga., said last week that the NSA has been collecting the records going back to 2006. That’s the same year that USA Today revealed a similar-sounding mass collection of metadata, which the paper said had been taking place since 2001. The relationship between the program we got a glimpse of in the Verizon order and the one revealed by USA Today in 2006 is still not clear: USA Today described a program not authorized by warrants. The program detailed last week does have court approval.
What surveillance powers does the government believe it has under the Patriot Act?
The Verizon court order relies on Section 215 of the Patriot Act. That provision allows the FBI to ask the Foreign Intelligence Surveillance Court for a secret order requiring companies, like Verizon, to produce records – “any tangible things” – as part of a “foreign intelligence” or terrorism investigation. As with any law, exactly what the wording means is a matter for courts to decide. But the Foreign Intelligence Surveillance Court’s interpretation of Section 215 is secret.
As Harvard Law Professor Noah Feldman recently wrote, the details of that interpretation matter a lot: “Read narrowly, this language might require that information requested be shown to be important or necessary to the investigation. Read widely, it would include essentially anything even slightly relevant — which is to say, everything.”
In the case of the Verizon order -- signed by a judge who sits on the secret court and requiring the company to hand over “all call detail records" -- it appears that the court is allowing a broad interpretation of the Patriot Act. But we still don’t know the specifics.
Has the NSA’s massive collection of metadata thwarted any terrorist attacks?
It depends which senator you ask. And evidence that would help settle the matter is, yes, classified.
Sen. Mark Udall, D-Colo., told CNN on Sunday, “It's unclear to me that we've developed any intelligence through the metadata program that's led to the disruption of plots that we could [not] have developed through other data and other intelligence.”
He said he could not elaborate on his case “without further declassification.”
Sen. Feinstein told ABC that the collection of phone records described in the Verizon order had been “used” in the case of would-be New York subway bomber Najibullah Zazi. Later in the interview, Feinstein said she couldn’t disclose more because the information is classified. (It’s worth noting that there’s also evidence that old-fashioned police work helped solve the Zazi case — and that other reports suggest the Prism program, not the phone records, helped solve the case.)
How much information, and from whom, is the government sweeping up through Prism?
It’s not clear.
Intelligence director Clapper said in his declassified description that the government can’t get information using Prism unless there is an “appropriate, and documented, foreign intelligence purpose for the acquisition (such as for the prevention of terrorism, hostile cyber activities, or nuclear proliferation) and the foreign target is reasonably believed to be outside the United States.”
One thing we don’t know is how the government determines who is a “foreign target.” The Washington Post reported that NSA analysts use “search terms” to try to achieve “51 percent confidence” in a target’s “foreignness.” How do they do that? Unclear.
We’ve also never seen a court order related to Prism -- they are secret -- so we don’t know how broad they are. The Post reported that the court orders can be sweeping, and apply for up to a year. Though Google has maintained it has not "received blanket orders of the kind being discussed in the media."
So, how does Prism work?
In his statement Saturday, Clapper described Prism as a computer system that allows the government to collect “foreign intelligence information from electronic communication service providers under court supervision.”
That much seems clear. But the exact role of the tech companies is still murky.
Relying on a leaked PowerPoint presentation, the Washington Post originally described Prism as an FBI and NSA program to tap “directly into the central servers” of nine tech companies including Google and Facebook. Some of the companies denied giving the government “direct access” to their servers. In a later story, published Saturday, the newspaper cited unnamed intelligence sources saying that the description from the PowerPoint was technically inaccurate.
The Post quotes a classified NSA report saying that Prism allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” not the company servers themselves. So what does any of that mean? We don't know.