The National Security Agency has admitting to improperly collecting what appears to be hundreds of millions of phone records from Americans, casting doubt that the principal restriction Congress imposed after Edward Snowden’s revelations has significantly inhibited the surveillance behemoth.
In a statement released Thursday saying it has deleted the data wholesale, the agency said it had on its own discovered that telecommunications firms had been providing NSA with records of Americans’ phone calls or texts that it “was not authorized to receive.” The discovery occurred “several months ago.” Echoing previous explanations for overcollection, NSA said unspecified “technical irregularities” were to blame.
Citing similarly unspecified technical reasons why it cannot distinguish between legally and illegally acquired phone data, NSA opted to delete “all” such data “acquired since 2015” under a post-Snowden update to a crucial surveillance law.
“We did not receive any content, geolocation data, or financial data,” Chris Augustine, an NSA spokesman, told The Daily Beast.
Despite the sweeping remedy for the overcollection, the NSA did not estimate how many records it had purged, let alone how many Americans were affected. The scale is certain to be massive. According to an April report from the director of national intelligence, under the USA FREEDOM Act, NSA collected 685 million call records over two years.
“We’re talking about hundreds of millions of records,” said Julian Sanchez, a surveillance scholar at the Cato Institute.
A purge of three years of call data was “so radical” a solution, Sanchez said, that it raised questions over the resemblance the post-2015 phone records program has had, in practice, to what the Obama and Trump administrations have portrayed to the Foreign Intelligence Surveillance Court (FISC) overseeing it.
The FISC, which meets entirely in secret, tends to be deferential to surveillance requests. But it has also paused or even shut down substantial aspects of warrantless NSA surveillance in the past after growing dissatisfied with incorrect NSA explanations of its collection procedures. Often, the NSA has attributed the discrepancy to technical issues and argued that it has not committed willful abuse. Most recently, the court last year functionally stopped NSA from collecting Americans’ emails that discussed surveillance targets.
“Given the track record of the FISC, you have to wonder how egregious this [overcollection] was,” Sanchez said.
Surveillance experts said the mass deletion also raised questions about the national-security significance of the call records in the first place. “Either there was a violation of massive proportions, or this data wasn’t of much value anyway, or both,” said Liza Goitein of the Brennan Center for Justice at New York University.
In June 2013, thanks to Snowden, The Guardian revealed that the NSA had for years collected the phone records of millions of Americans, all without either warrants or any individualized suspicion of wrongdoing. Two years later, following a federal appeals court ruling the bulk surveillance illegal, Congress mandated an overhaul of NSA’s procedures for mass phone-data collection in a compromise bill that civil libertarians considered better than nothing.
That law, known as the USA FREEDOM Act, reversed the process by which NSA performed large-scale phone data collection. Instead of NSA harvesting the records from telecommunications carriers, the telecoms would provide the records to the surveillance agency. But the law, substantially weakened as it wended its way through Capitol Hill, still permitted the collection of tremendous amounts of domestic phone records, to include records of everyone a targeted “selector,” such as a phone number, communicated with—and those of everyone those numbers communicated with, a process known as “two-hop” surveillance. The collection, which still occurs without individualized suspicion of wrongdoing, lasts for six months.
NSA’s statement assured that “the root cause of the problem has since been addressed,” but it did not explain either how or what gave the agency the confidence to make such an assurance.
Asked to clarify, Augustine told The Daily Beast: “We cannot comment on that because the answer involves operational details about NSA’s use of the UFA CDR [USA FREEDOM Act call-data records] authority that remain classified.”
Capitol Hill sources told The Daily Beast they were made aware of the NSA overcollection around late May, the time frame the agency said it began purging the ill-acquired call records.
“Over and over again, NSA says we don’t have to worry because these violations are inadvertent. At some point, that’s cold comfort when we’re trusting NSA to collect hundreds of mill of our records and they’re persistently failing to adhere to the legal limits,” Goitein said.
“Clearly, USA FREEDOM hasn’t been working as intended, and it would seem from this that it’s never worked as intended,” she continued. “Either the NSA isn’t trying very hard to comply with the legal limitations, or it is and it’s simply incapable of consistent compliance, because the system is simply too big and too complex. At that point, we have to ask if data collection on Americans in these numbers results in an inability to stay within the law.”
Ron Wyden, an Oregon Democrat on the Senate intelligence committee and its leading privacy hawk, lambasted the telecoms for the overcollection but did not criticize the NSA.
“Telecom companies hold vast amounts of private data on Americans,” Wyden told The Daily Beast. “This incident shows these companies acted with unacceptable carelessness, and failed to comply with the law when they shared customers’ sensitive data with the government.”
