NSA Stops Certain Section 702 “Upstream” Activities
published on NSA| CSS, on April 28, 2017
Since 2008, the National Security Agency (NSA) and other members of the U.S. Intelligence Community have relied on Section 702 of the Foreign Intelligence Surveillance Act (FISA) to conduct surveillance on specific foreign targets located outside the United States to acquire critical intelligence on issues ranging from international terrorism to cybersecurity. After a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation, NSA has decided to stop some of its activities conducted under Section 702.
While the Foreign Intelligence Surveillance Court (FISC) was considering the government’s annual application to renew the Section 702 certifications, NSA reported several earlier, inadvertent compliance incidents related to queries involving U.S. person information in 702 “upstream” internet collection. Although the incidents were not willful, NSA was required to, and did, report them to both Congress and the FISC. The court issued two extensions of the government’s renewal application in order to receive additional information from the government about this issue and the government’s plan to resolve it. The previous year’s certifications remained in effect during these extension periods.
During the extension period, NSA undertook a broad review of its Section 702 program. Under Section 702, NSA collects internet communications in two ways: “downstream” (previously referred to as PRISM) and “upstream.” Under downstream collection, NSA acquires communications “to or from” a Section 702 selector (such as an email address). Under upstream collection, NSA acquires communications “to, from, or about” a Section 702 selector. An example of an “about” email communication is one that includes the targeted email address in the text or body of the email, even though the email is between two persons who are not themselves targets. The independent Privacy and Civil Liberties Oversight Board described these collection methods in an exhaustive report published in 2014.
After considerable evaluation of the program and available technology, NSA has decided that its Section 702 foreign intelligence surveillance activities will no longer include any upstream internet communications that are solely “about” a foreign intelligence target. Instead, this surveillance will now be limited to only those communications that are directly “to” or “from” a foreign intelligence target. These changes are designed to retain the upstream collection that provides the greatest value to national security while reducing the likelihood that NSA will acquire communications of U.S. persons or others who are not in direct contact with one of the Agency’s foreign intelligence targets.
In addition, as part of this curtailment, NSA will delete the vast majority of previously acquired upstream internet communications as soon as practicable.
NSA previously reported that, because of the limits of its current technology, it is unable to completely eliminate “about” communications from its upstream 702 collection without also excluding some of the relevant communications directly “to or from” its foreign intelligence targets. That limitation remains even today. Nonetheless, NSA has determined that in light of the factors noted, this change is a responsible and careful approach at this time.
After reviewing amended Section 702 certifications and NSA procedures that implement these changes, the FISC recently issued an opinion and order, approving the renewal certifications and use of procedures, which authorize this narrowed form of Section 702 upstream internet collection. A declassification review of the FISC’s opinion and order, and the related targeting and minimization procedures, is underway.
The National Security Agency works tirelessly around the world to help keep the nation safe. We have a solemn responsibility and commitment to do this work exactly right. When incidents occur, we immediately report them to oversight bodies and develop appropriate solutions. We never stop putting improvements in place while carrying out our critical mission.
Date Posted: April 28, 2017 | Last Modified: June 28, 2018
