For ten years — until 2011 — the National Security Agency collected gigantic amounts of metadata on email communications, including bulk information on Americans starting in 2007, the latest reports and documents leaked by Edward Snowden show in startling detail. Perhaps more startling still is how the U.S. government, spurred by Vice President Cheney and continuing to operate under an act-first-get-legal-permission-later mindset, consistently avoided external oversight into never-before-at
The Guardian offered the first details of the email collection, codenamed STELLARWIND, in a multi-part report Thursday. As recently as two years ago, the NSA was grabbing metadata on millions of emails between Americans, in an operation similar to the recently revealed collection of data about phone calls. But there's a difference: email metadata is even more revealing than that from phone calls. It can show locations as identified by IP addresses and full email addresses of parties involved (including BCCs). As the Guardian's Glenn Greenwald writes, "it is hard to distinguish email metadata from email content."
What's more alarming, though, is what the paper reveals about how the collection came into effect. If you cobble together information from the paper's various articles and leaked files, the timeline on STELLARWIND and beyond apparently looks like this:
September 2001. The NSA begins exploring how it can use its existing authority to collect more information on electronic communications.
October 2001. The NSA tells members of the House Intelligence Committee and CIA director George Tenet about its collection of information on pre-approved phone numbers. Tenet talks to the White House and then returns to NSA, according to a leaked Inspector General's report. "Mr Tenet revealed that the Vice President wanted to know if NSA could be doing more."
October 4, 2001. The NSA starts doing more. After reporting to Cheney about the gaps in its intelligence collection, Bush signs off on an expansion of data collection. This includes metadata collection.
It's worth stepping out here to focus on a section of that IG report dealing with the initial authorization. It's below.
The first authorization "could have been interpreted to allow domestic content collection," but NSA Chief Michael Hayden insisted that his "personal standard" would keep the agency from doing so. That was the protection in place. Again, we distinguish between metadata — information about a message — and the message itself. The "content" referred to above means the message. The metadata collected could include a point of contact in the United States if none of the participants were known to be Americans.
It's also worth noting that, during this time period, the NSA determined that getting approval for its expanded data collection under the Foreign Intelligence Surveillance Act wasn't worth the effort. Getting FISA approval would have curtailed the agency's flexibility and the number of targets it could surveil. Instead, it relied on its own internal reviews of legality to assure that it complied with the law. The NSA's general counsel signed off on October 5.
Approval of data analysis involving domestic targets was tasked to the Chief of Counterterrorism — or the program manager if the Chief was absent. How their "personal standards" applied is not clear.
2002. For the first time, the NSA Inspector General, the person responsible for oversight of the agency, is allowed to know about the data collection program. According to the NSA General Counsel (as outlined in the IG report), "the President would not allow the IG to be briefed sooner."
2004. The NSA begins sharing data with the FBI and CIA. The sharing stemmed from a secret decision made by the Department of Justice's Office of Legal Counsel — a decision that not even the NSA was privy to at first. That legal questionability began to unnerve participants in the program.
Later that year, Bush was forced to stop the program after "senior figures at the Justice Department and FBI," as described by the Guardian, directly raised those concerns. One of those figures was James Comey, recently nominated by OBama to lead the FBI.
As the Guardian reports, the rebellion was quickly put to rest.
The DoJ quickly convinced the Fisa court to authorize ongoing bulk collection of email metadata records. On 14 July 2004, barely two months after Bush stopped the collection, Fisa court chief judge Collen Kollar-Kotelly legally blessed it under a new order – the first time the surveillance court exercised its authority over a two-and-a-half-year-old surveillance program.
The process so far: Cheney tells the NSA to go further in data collection. It does so, under its own legal interpretation. It starts working with domestic law enforcement, which makes it nervous — until a member of the FISA Court (a secret court we've discussed before) gives a thumbs up.
2007. After six years, the government decides to expand how the data collected under the program could be used. As detailed in another leaked document, the Secretary of Defense and Attorney General approve "supplemental procedures." Greenwald writes:
"NSA believes that it is over-identifying numbers and addresses that belong to United States persons and that modifying its practice to chain through all telephone numbers and addresses, including those reasonably believed to be used by a United States person," Weinstein wrote, "will yield valuable foreign intelligence information primarily concerning non-United States persons outside the United States."
The procedures "would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States", Wainstein wrote.
In other words: bulk collection of information on Americans' email and internet use.
2008. Congress (which, the Inspector General's report notes, has been briefed regularly) passes amendments to FISA officially legalizing certain data collection by the NSA.
2011. Two years after taking office, Obama ends the email data collection program. Why?
The metadata program just described in the Guardian stopped in 2011 because it "was not yielding much value" US official tells LA Times.— Ken Dilanian (@KenDilanianLAT) June 27, 2013
To some extent, it's not the program itself that is remarkable. At this point, it would be hard for new revelations from Greenwald and the Guardian about government surveillance to be truly shocking. (In an interview with BuzzFeed, Greenwald indicates that he has so many more documents from Snowden that he hasn't "actually gone through them all.")
What's remarkable is that, for all of the protestations from current NSA chief Keith Alexander that he is subject to rigorous oversight and that the agency doesn't collect emails, his authority was certainly born from a different impetus: a push to move quickly to get whatever information it could using its own legal analysis, and dealing with the consequences years later.