The NSA collected data on tens of thousands of Americans

The collection may have been inadvertent, declassified docs show

Newly declassified documents released by the Obama Administration on Wednesday show that the National Security Agency (NSA) collected phone and Internet data on tens of thousands of Americans before it discovered and reported the issue to a secret court that oversees the program.

The documents were posted Wednesday by the Office of the Director of National Intelligence on a new Tumblr page called IC on the Record. The documents include two heavily redacted opinions by the secret Foreign Intelligence Surveillance Court (FISC), another file from 2011 describing the NSA's procedures for targeting and minimizing the data it collects, and several other documents.

In an accompanying statement, Director of National Intelligence James Clapper said the goal in releasing the documents is to give the U.S. public more insight into the "lawful foreign surveillance activities" carried out by the nation's intelligence community.

"In addition to comprehensive explanations of the authorities under which the Intelligence Community conducts foreign surveillance, the site will address methods of collection, use of collected data, and oversight and compliance," Clapper said.

President Barack Obama in June called on Clapper to release more details of the NSA's surveillance after widespread concerns were stoked by former NSA contract worker Edward Snowden's leaks to the media.

The most interesting document released today is a FISC opinion from two years ago that shows the NSA collected phone and Internet data on potentially hundreds of thousands of Americans with no link to terrorism before the court ended the practice in October 2011. The data collection apparently started before the court was established in 2008; FISC ruled the practice unconstitutional after being told about it by the NSA.

The declassified court opinion shows that the NSA's collection of wholly domestic communications happened because it was unable to properly filter the massive volumes of data it was collecting online. According to the court's description of the issue, the NSA's Internet collection devices at the time were incapable of accurately distinguishing between communications that originated outside the U.S with domestic communications.

An NSA analysis showed that the agency might have acquired between 46,000 and 56,000 domestic communications each year for several years, the court said.

The 85-page opinion written by the FSIC Chief Judge John Bates reflects frustration with the government's apparently inconsistent descriptions of the nature and scope of the NSA data collection practices.

The FISC was established in 2008 to oversee the data collection activities by U.S. intelligence activities carried out under the Foreign Intelligence Surveillance Act (FISA). Among other things, the secret court is responsible for reviewing and approving NSA requests for collecting data from Internet and phone service providers.

Details about the NSA's inadvertent domestic data collection emerged during one such request in 2011.

Bates said that the court had previously approved NSA requests based on the agency's description of its data collection practices, but noted with frustration that the description kept changing. The court initially understood that the NSA's technical measures would prevent the acquisition of domestic content, but later discovered that those measures were inadequate, Bates said in his opinion.

"The Court is troubled that the government's revelations regarding NSA's acquisition of Internet transactions marks the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program," the opinion notes.

A footnote pointed to similar inconsistencies in the NSA's description of its phone metadata collection activities. "Contrary to the government's repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the standard for querying." The querying standard had been "so frequently and systematically violated" that it never worked effectively, the court noted.

Such facts fundamentally alter the statutory and constitutional basis for the data collection, Bates said in the opinion.

In a statement referencing the October 2011 FISA opinion, the Office of the Director of National Intelligence said the problems stemmed from an incomplete understanding of data collection technology. "These incidents were due to a variety of factors, including gaps in technical understanding among various NSA components about how certain aspects of the complex architecture supporting the programs functioned."

Those gaps led to an unintended misrepresentation of the manner in which the NSA collected data, the statement said. It noted that after the issue was discovered, steps were take to minimize data collection and ensure that it was more targeted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITNational Security AgencysecuritynsaTumblrDirector of National Intelligenceintelprivacy

More about National Security AgencyNSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place