The NSA Can Use Incidental Data Under Certain Conditions

One of the scariest parts about the NSA’s spying program is its collection of incidental data – information that may or may not be about American citizens that just so happens to be picked up with information on non-U.S. targets. It’s been said that the NSA can’t use this data, but a new report says they can under certain conditions.

The Guardian released another two documents today that detail how the NSA can use information it inadvertently collects on Americans. Both documents were submitted to the secretive FISA court by Attorney General Eric Holder as they bear his signature.

So, without further ado, here’s what the NSA can do with the data it may or may not have collected on Americans:

Keep data that could potentially contain details of US persons for up to five years;

Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;

Preserve “foreign intelligence information” contained within attorney-client communications;

Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.

What makes the above especially worrisome is that the documents reveal there is not a lot of oversight in regards to who the NSA actually targets. NSA analysts are allowed to pick and choose who they target without having to get clearance from the courts. The only thing in place is an internal audit system that reviews targets.

Another worrisome aspect is a different order from 2010 that says that NSA is allowed to collect information on a target as long at that person “is a non-United States person reasonably believed to be outside the United States.” That doesn’t sound so bad until you read that the order allows the NSA to just automatically assume the target is outside the U.S. if it can’t confirm the target’s location. To make matters worse, the NSA can read messages from and listen in on phone calls of assumed non-U.S. persons to confirm whether or not they are in the U.S.

Now, what happens once the target has been confirmed to a U.S. person? The NSA must then start what it calls a “minimization procedure.” In short, it means that the NSA must stop collecting information on the target immediately. Of course, the NSA analyst in charge of the investigation can appeal to a higher up to keep the information if they feel that it contains information related to the one of the following:

Significant foreign intelligence information

Evidence of a crime

Technical data base information (a.ka. encrypted data)

Information pertaining to a threat of serious harm to life or property

The NSA must immediately destroy data on U.S. persons if it does not pertain to one of the above categories. However, the agency is allowed to keep information on U.S. persons if they’re found to be communicating with someone outside the U.S. On top of that, the communications between non-U.S. and U.S. persons can be shared with friendly governments if the U.S. person is anonymized.

All of these rules fly out the window when the NSA throws out a wide data collection net. In that case, the agency argues that it can’t filter out information on U.S. persons that is inadvertently collected alongside information on non-U.S. persons.

The big takeaway from all of this is that the NSA is not subjected to as much oversight as President Obama and others have indicated. In fact, it seems that the NSA can pretty much do whatever the hell it wants with only internal audits and individual discretion getting in the way of data collection. It makes you really wish Congress would pass one of those transparency bills that would make the NSA’s data collection open for debate.