The Guardian's latest Snowden-gram is worth your full read, whether or not you're a fan of foe of the person who leaked it. A lot of it is familiar, and in a good way. I'm relieved: If the NSA inspector general is to be believed, his conclusions mean that none of the intelligence sources who spoke to me about the programs for my book were dishonest with me. Their account of what happened jibes with the inspector general's history of the STELLARWIND program.
Here's what jumped out at me:
1. My friends in the intelligence community might disagree, but I can make a good faith-and-facts argument that virtually everything in the report is (a) not damaging to national security, (b) ought to be declassified, (c) ought to have been declassified a while ago, and (d) contributes to the necessary public discussion about surveillance and collection post 9/11.
2. The NSA's biggest problem post 9/11 was not about complying with the law or even making a good faith effort to minimize collection against U.S. persons. It was, instead, struggling to reconcile the demands secrecy imposed on it, externally (from the thuggish behavior of the office of the vice president) and internally (expressed by the general culture of secrecy that envelops the agency).
3. The report confirms that NSA inspector general Robert Deitz, on his own, took an extra step and decided that before actual interception of U.S.-based content could be performed, "probable cause" was to be used as an internal NSA standard, and not just a legal one. (This was, of course, before the FISA court got involved.) Now, it's certainly true that using that standard internally is less strict than asking a court to impose it, but it still suggests, far from being a rubber stamp for the White House, the NSA pushed back, even before it had to.
4. The roots of the NSA's decision to engage in "contact-chaining" — that is — to see who called a number it had, was based on a 1999 Justice Department legal opinion that said that performing such analysis on metadata was allowed by FISA only. But there was no practical way, at least in NSA's view, to meet FISA's requirements. NSA's argument (on p.6) is one that, in theory, Congress could have ameliorated with legislation, but NSA and the White House did not believe that (for various reasons) Congress should have made public what it believed was an NSA strategic advantage.
5. At a minimum, NSA director Hayden wanted the ability to gobble up data as it passed through the US, which, as I've reported along with many others, constituted a significant percentage of international email communications at the time. But minimization procedures had to be followed, so that the NSA could only perform metadata analysis on U.S. persons data that was anonymized. This proved difficult early on because the technology had was not sufficient.
6. The wording of the first directive allowed the NSA to collect content from U.S. persons and to collect communication to and from U.S. persons. When the White House pointed this out, Hayden said that, in essence, he would not use the authority to this, that NSA had technological limitations that prevented it from doing so, and NSA was a foreign intelligence agency. (The NSA report implies that the White House wanted the collection authority written in a way that allowed for such domestic communications intercepts in emergency situations).
7. The NSA created a special programs division within its Signals Intelligence Directorate; eventually, an "Advanced Analysis Division" was set up to analyze (a) content (b) internet metadata and (c) telephone metadata; the agency's CT product line worked on finished products. None of the collection took place at NSA field sites.
8. "Collection managers were responsible for putting telephone number and email selectors on PSP-authorized collection by private sector companies and take them off collection." This means, I think, that only these selectors were allowed to be searched/analyzed by analysts. It is unclear how NSA segregated this data from the rest of the data that it was collecting in bulk from several major telecoms (identified as COMPANY A, which I think is AT&T, and COMPANY B, which, I think, is VERIZON.)
9. The NSA did conduct call chaining with two hops — that is, it would take a U.S. number, and see who called that number, and then see who called THOSE numbers — and then matched them up with flagged selectors in the database to see whether any lines intersected. However, not every "selector" was approved for two-hop collection. Some were denied, based on the lack of their being evidence that they were connected to the "nexus" of al Qaeda. Others were approved only for one hop — i.e., direct contact — chaining. It is not clear how these rules have changed, or whether they have.
10. This is the biggie: of all the bulk data that NSA took in, from the end of 2001-2007, humans listened to or read the content associated with 2,612 domestic telephone numbers and about 300 domestic email addresses. That's 8 percent of the universe of selectors in the program (the other end being the foreign terminals of the conversation).
11. The NSA had installed equipment at company-controlled sites, and these selectors were sent to NSA reps at these sites, who filtered this content into the NSA databases FROM the external sites. (These would be, I assume, switches at major telecom facilities.). Once finished intelligence analyses were completed, the NSA's compliance officers reviewed each product to verify that minimization procedures were followed
12. The NSA initially sent its tips to the CIA and the FBI in forms that basically looked like this:
lkjsafkladjKLADFSJKLAFSDKJ MARC AMBINDER JKDJAKLSDFJLASDFLK.
Eventually, the CIA and FBI needed better context, so the NSA started providing more information directly without identifying the STELLARWIND program as the source of the intercept.
13. Everything described above was done WITHOUT Congressional or FISA court oversight.
14. The NSA has special, classified relationships with more than 100 U.S. companies.