Provisions under which NSA can collect, retain data on U.S. residents revealed

<em>The Guardian</em> publishes two more secret documents on NSA spy programs

Two secret documents describing the procedures the National Security Agency (NSA) is required to follow when spying on foreign terror suspects reveal the provisions that allow the agency to collect, retain and use information on U.S residents without a warrant, The Guardian newspaper reported today.

The paper published two documents that it presumably obtained from Edward Snowden, the former NSA contractor who has admitted to leaking classified documents describing two top-secret government data collection programs.

Both the documents are dated July 28, 2009 and are signed by Attorney General Eric Holder. They also appear to have been approved by the Foreign Intelligence Surveillance Court, a secret court that was established specifically to oversee government data access requests filed under Foreign Intelligence Surveillance Act of 1978.

FISA was originally designed to give U.S. intelligence a tool for keeping an eye on suspects in foreign countries who were perceived to pose a threat to U.S. national security. It was amended in 2008 and now gives U.S. intelligence agencies significantly broader authority to keep an eye on the communications that foreign-based suspects have with people outside the country and inside the U.S.

One document published by The Guardian describes the procedures that NSA agents need to follow when spying on people who are reasonably believed to be outside the United States. The other describes the data minimization procedures that the NSA is required to follow when gathering, retaining and using electronic communications and other information pertaining to foreign suspects.

The documents make it clear that the NSA is not permitted to intentionally conduct surveillance or intentionally collect information on U.S residents under the authority granted to it by FISA.

They also show that several detailed procedures exist to ensure that inadvertent collection of data on U.S. residents is kept to a minimum. The secret documents describe the measures the NSA must take to ensure that targets are indeed based outside the USA and how they must destroy data that is inadvertently collected on U.S. residents.

Even so, the court-approved documents also show that the NSA is allowed to retain "inadvertently acquired" data on U.S. persons for up to five years if the data contains usable intelligence, if the data is encrypted, or contains information on criminal activity, the Guardian said.

The NSA can similarly retain inadvertently collected data on U.S. residents if the data contain information relevant to cybersecurity or evidence of a threat of harm to persons or property. It also allows the NSA to access the actual content of communications inadvertently gathered from U.S. systems to establish if the systems are indeed based in the U.S. and to eliminate them from further surveillance.

In situations where the NSA does not have any information on a person's location, they are free to assume that the person is based overseas, the report noted, citing from a 2010 court order it says it has obtained.

"If it later appears that a target is in fact located in the US, analysts are permitted to look at the content of messages, or listen to phone calls, to establish if this is indeed the case," the paper said.

Such information would appear to undercut comments made by various administration and intelligence officials about the NSA's foreign surveillance activities not impacting U.S. residents. Though officials have conceded that their surveillance activities may occasionally result in information on U.S. residents being gathered, they have tended to downplay the impact of such information gathering.

The Guardian's latest revelations comes about two weeks after it first broke the story about the NSA collecting phone call metadata records pertaining to all calls made by Verizon customers since at least April. That revelation, followed by another from The Washington Post about another secret surveillance program called PRISM have resurfaced long-held fears among privacy advocates about post 9-11 anti-terror programs being used as an excuse to conduct dragnet domestic surveillance.

Two lawsuits have already been filed against the administration, the Justice Department and the NSA over the data collection programs. Several lawmakers have also asked for more transparency and oversight over the programs.

On Thursday, two lawmakers introduced a bill in the U.S. House of Representatives that would require the Department of Justice to declassify significant decisions made by the Foreign Intelligence Surveillance Court. The goal is to give Americans a chance to understand how the court has interpreted the authorities provided to the government under FISA and the Patriot Act.

Meanwhile, Snowden, the man at the center of the story, is believed to be hiding in Hong Kong and is reportedly said to be looking for asylum in Iceland. The FBI is expected to press criminal charges against him shortly.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gov't Legislation/RegulationNational Security Agencysecurityregulationgovernmentintelprivacy

More about Department of JusticeFBINational Security AgencyNSATopicVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place