NSA Civil Liberties and Privacy Of?ce Transparency Report: THE USA FREEDOM Act Business Records FISA Implementation 1 5 [anuary 201 6 I. Introduction: Assessing the Privacy Impact of the USA FREEDOM Act The National Security Agency͛Ɛ Civil Liberties and Privacy Office (CLPO)1 conducted a civil liberties and privacy impact assessment examining how the National Security Agency (NSA) is implementing the changes effected by the USA FREEDOM Act to the telephone metadata program that the Agency had conducted pursuant to the ͞Business Records͟ provision in Section 215 of the USA PATRIOT Act. The latter section amended the Foreign Intelligence Surveillance Act (FISA) and authorized NSA to collect and analyze certain telephone metadata. The USA FREEDOM Act, which was enacted in June 2015 and became effective on November 29, 2015͕ ŵĂĚĞ ƐŝŐŶŝĨŝĐĂŶƚ ĐŚĂŶŐĞƐ ƚŽ E^ ͛Ɛ ĂƵƚŚŽƌŝƚLJ ŝŶ ƚŚŝƐ ƌĞŐĂƌĚ. This report summarizes >WK͛Ɛ assessment and its underlying analysis of how this new authority is being implemented. Civil liberties and privacy impact assessments inform E^ ͛Ɛ ĚĞĐŝƐŝŽŶ ŵĂŬŝŶŐ͘ They identify potential civil liberties and privacy (CLP) impacts, describe and document CLP safeguards applied to a given activity, and support increased transparency within NSA, to external overseers, and, as appropriate, to the public. As part of the implementation of the Principles of Intelligence Transparency for the Intelligence Community (IC), the NSA CLPO is publishing this unclassified report. Assessments apply the eight Fair Information Practice Principles (FIPPs, Appendix A) and serve as the basis for identifying civil liberties and privacy impacts. The FIPPs are the standard by which the government and many in the private sector assess privacy impacts and develop mitigations. The FIPPs also establish a basis for identifying and mitigating civil liberties impacts by providing a framework to identify features of an activity that may impact an individual without a justifiable purpose, be used ĂŐĂŝŶƐƚ ĂŶ ŝŶĚŝǀŝĚƵĂů͛Ɛ ŝŶƚĞƌĞƐƚ ǁŝƚŚŽƵƚ ƐƵĨĨŝĐŝĞŶƚ ůŝŵŝƚĂƚŝŽŶ͕ Žƌ ŶĞŐĂƚŝǀĞůLJ ĂĨĨĞĐƚ ĂŶ ŝŶĚŝǀŝĚƵĂů ǁŝƚŚŽƵƚ accountability or a means of redress, among others. E^ ͛Ɛ ŐŽĂů ƵŶĚĞƌ ƚŚĞ h^ &Z KD Đƚ ƌĞŵĂŝŶƐ the same as that under its predecessor program: to collect, analyze, and disseminate foreign intelligence information about international terrorist threats. The government has strengthened privacy safeguards by, among other things, ending the collection of telephone metadata in bulk and having telecommunications providers, pursuant to court orders, hold and query the data. E^ ͛Ɛ implementation of the USA FREEDOM Act has been and continues to be a complex effort that requires the active participation of multiple offices across NSA with technical, legal, civil liberties and privacy, and compliance expertise͘ E^ ͛Ɛ ŝǀŝů >ŝďĞƌƚŝĞƐ ĂŶĚ WƌŝǀĂĐLJ KĨĨŝĐĞ has played and continues to play an integral part in this process, ensuring that civil liberties and privacy risks and impacts are thoroughly assessed (and, as appropriate, mitigated) as the Agency developed and continues to refine the technical architecture needed to support the new authority. 1 E^ ͛Ɛ ŝǀŝů >ŝďĞƌƚŝĞƐ ĂŶĚ WƌŝǀĂĐLJ KĨĨŝĐĞ ; >WKͿ ǁĂƐ ĞƐƚĂďůŝƐŚĞĚ ŝŶ ϮϬϭϰ͘ >WK ŝƐ ƌĞƐƉŽŶƐŝďůĞ to the Director of the National Security Agency for ensuring that civil liberties and privacy protections are integrated into policies, plans, procedures, technology, programs and activities across the NSA/CSS global cryptologic enterprise. 2 This report first presents a definition of key terms and then provides an overview of the process for obtaining telephone metadata pursuant to the USA FREEDOM Act. The report concludes by providing a detailed privacy and civil liberties analysis of the metadata procedures against the FIPPs. In conducting this assessment, NSA identified and implemented policies, procedures, compliance safeguards, and metrics that minimize the civil liberties and privacy impact, while also enabling the Agency to demonstrate its good stewardship of the authority granted under the USA FREEDOM Act. 3 II. Definition of Key Terms There are several key terms to understand before describing how NSA has implemented the USA FREEDOM Act: Call detail records (CDRs)ͶĂůƐŽ ŬŶŽǁŶ ĂƐ ͞ŵĞƚĂĚĂƚĂ͟ ʹ from telecommunications providers. A CDR is defined in the USA FREEDOM Act as session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile Station Equipment Identity (IMEI) number), a telephone calling card number, or the time or duration of a call. CDRs do not include the contents of any communications, the name, address, or financial information of a subscriber or customer, or cell site location or global positioning system information.2 Under the USA FREEDOM Act, CDRs will be held and queried by the providers. FISC-approved specific selection term. A selection term, such as a telephone number, when it has been determined that there is a reasonable, articulable suspicion (RAS) that the selection term is associated with one or more foreign powers or their agents engaged in international terrorism or activities in preparation therefore. Such a selection term and the evidence that documents its association with foreign powers or their agents engaged in international terrorism or activities in preparation therefore must be reviewed by NSA͛Ɛ KĨĨŝĐĞ ŽĨ General Counsel before submission to the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) for preparation of an application to the Foreign Intelligence Surveillance Court (FISC), or a request to the Attorney General in an emergency. The FISC may approve the specific selection term only if the FISC concludes that the RAS standard mandated by the USA FREEDOM Act has been satisfied.3 One-hop results. Selection terms that are in direct contact with a FISC-approved specific ƐĞůĞĐƚŝŽŶ ƚĞƌŵ ĂƌĞ ĐŽŶƐŝĚĞƌĞĚ ͞ŽŶĞ-ŚŽƉ͟ ƌĞƐƵůƚƐ͘ In other words, if NSA determines and the FISC agrees that there is RAS to believe that a specific telephone number is associated with foreign powers or their agents engaged in international terrorism or activities in preparation therefore, then any telephone ŶƵŵďĞƌƐ ŝŶ ĐŽŶƚĂĐƚ ǁŝƚŚ ƚŚĂƚ ƚĞůĞƉŚŽŶĞ ŶƵŵďĞƌ ǁŽƵůĚ ďĞ ͞ŽŶĞ ŚŽƉ͟ ĨƌŽŵ that specific telephone number. Two-hop results. Selection terms in direct contact with the one-hop selection terms are ĐŽŶƐŝĚĞƌĞĚ ͞ƚǁŽ-ŚŽƉ͟ ƌĞƐƵůƚƐ͘ As described above, two-hop results would be the telephone numbers that had been in contact with the one-hop telephone numbers. 2 See The USA FREEDOM Act of 2015, §107: DEFINITIONS. 3 The RAS standard is the same legal standard used to implement the previous telephone metadata program under Section 215 of the USA PATRIOT Act. 4 111. Overview of the USA FREEDOM Act Architecture This section describes the workflow and the core steps of implementation of the USA FREEDOM Act. This section concludes with a hypothetical example to help illustrate how the process works in I I I PHASE 1? RAS. Process PHASE Provisei Query Federatcn aHAsrs- Analyst QJery, ?nely: g, andnepmung . ANALYST RAS . Justification NSA Enterprise Data Imemce Architecture lmanace Dam mm?? NSA's Enterprise Architecture Selectors in direct sends them contact with Ana'?t apmoved selectors generates llelefrseleclars In mum? he queliemn direclcontaclwuh a RAS selector are validated. trainadwnh Apphcu'tmn Enterprise Elector by ?Hewlng memdam Eggmned wn??he missin" Archimmum. NSA already lawfully possesses, approve justi?estinn} Includan results from the selectors. and sent to quarks prnviderfs). These selectorsare Dl'OVldel'lSl E5 3 Emirprisa returned to the Dale Interface. request. Architecture_ 001 Files . El Dta Enterprise menace Architecture . . . NSA validates Provnder results MS I Provider?s) query agamsnhe? providerrssulls. stored in the A rcwu' a liusdata ta 5 7 Pp business record holdings for CDRs a?gforwards t2 Efcl?rif?lc?i?m as gnaw? contaming either RAS selectors or Enterprise structured data 99?" mg seleelors in direct contaclwi?lha RAS Archiudum? selector. Results returned to MSA. High-Level Architecture for the USA FREEDOM Act Business Records FISA Implementation 1. Application and Authorization: FBI will submit an application to the FISC through the to receive authorization for one or more specific selection terms where (1) there are reasonable grounds to believe that the requested CDRs are relevant to an authorized investigation to protect against international terrorism, and (2) there is RAS to believe that the specific selection term to be used as a basis for the production is associated with a foreign power, or an agent of a foreign power, engaged in international terrorism or activities in preparation therefore. If the FISC agrees that the government has met the statutory requirements, the Court will issue an order approving submission of the specific selection term to the provider(s) that directs the provider(s) to produce the requested CDRs in a form useful to the government. In an emergency, a specific selection term meeting these statutory requirements may be submitted to the Attorney General. The Attorney General must agree that the government has met the statutory requirements and will authorize the submission of the specific selection term to the provider(s) in the first instance, generally with an application to be filed with the FISC within seven days.4 2. Collection: The FISC-approved specific selection term, along with any one-hop results generated from metadata NSA already lawfully possesses from previous results returned from the provider(s) and other authorities5, will be submitted to the authorized provider(s).6 The provider(s) will return CDRs that are responsive to the request, meaning the results will consist of CDRs that are within one or two hops of a FISC-approved specific selection term. This step will be repeated periodically for the duration of the order to capture any new, responsive CDRs ʹ but in no case will the procedures generate third or further hops from a FISC-approved specific selection term. The order is valid for no more than 180 days but may be renewed if the FISC determines that the RAS standard continues to be satisfied. 3. Processing, Analysis, Dissemination, and Retention: NSA may process, analyze, disseminate, and retain CDR results only in the manner permitted by the USA FREEDOM Act minimization procedures adopted by the Attorney General and approved by the FISC (See Appendix B). Among other things, these procedures require NSA to limit access to the USA FREEDOM Act results to NSA personnel who have received appropriate and adequate training and guidance regarding the procedures and the restrictions that govern the handling and dissemination of information NSA obtains pursuant to the USA FREEDOM Act. Analysts approved for access to the USA FREEDOM Act results will be able to use the results for analysis related to a foreign power, or an agent of a foreign power, engaged in international terrorism or activities in preparation therefore. Dissemination of U.S. person information must be for a counterterrorism purpose or constitute evidence of a crime.7 To illustrate the process, assume an NSA intelligence analyst identifies or learns that phone number (202) 555-1234 is being used by a suspected ŝŶƚĞƌŶĂƚŝŽŶĂů ƚĞƌƌŽƌŝƐƚ͘ dŚŝƐ ŝƐ ƚŚĞ ͞ƐƉĞĐŝĨŝĐ ƐĞůĞĐƚŝŽŶ ƚĞƌŵ͟ Žƌ ͞ƐĞůĞĐƚŽƌ͟ ƚŚĂƚ ǁŝůů ďĞ ƐƵďŵŝƚƚĞĚ ƚŽ ƚŚĞ &/^ ;Žƌ ƚŚĞ ƚƚŽƌŶĞLJ 'ĞŶĞƌĂů ŝŶ ĂŶ ĞŵĞƌŐĞŶĐLJͿ ĨŽƌ ĂƉƉƌŽǀĂů using the RAS standard. Also assume that, tŚƌŽƵŐŚ E^ ͛Ɛ ĞdžĂŵŝŶĂƚŝŽŶ ŽĨ metadata produced by the provider(s) or ŝŶ E^ ͛Ɛ ƉŽƐƐĞƐƐŝŽŶ ĂƐ Ă ƌĞƐƵůƚ ŽĨ ƚŚĞ ŐĞŶĐLJ͛Ɛ otherwise lawfully permitted signals 4 See The USA FREEDOM Act of 2015, §102 (a)(i)(3). ͞/Ŷ ƚŚĞ ĂďƐĞŶĐĞ ŽĨ Ă ũƵĚŝĐŝĂů ŽƌĚĞƌ ĂƉƉƌŽǀŝŶŐ ƚŚĞ ƉƌŽĚƵĐƚŝŽŶ ŽĨ tangible things under this subsection, the production shall terminate when the information sought is obtained, when the application for the order is denied, or after the expiration of 7 days from the time the Attorney General begins requiring the emergency production of such ƚĂŶŐŝďůĞ ƚŚŝŶŐƐ͕ ǁŚŝĐŚĞǀĞƌ ŝƐ ĞĂƌůŝĞƐƚ͘͟ 5 Historical bulk data collected under Section 215 of the USA PATRIOT Act will be retained by NSA until February 29, 2016 solely for technical testing purposes. Separately, NSA remains under a continuing legal obligation to preserve records subject to ongoing civil litigation actions. Historical bulk data collected under Section 215 of the USA PATRIOT Act will never be included when querying internal holdings. 6 See House Committee on the Judiciary. Rept. 114-109 Part 1, p17 (2015). 7 NSA expects that its analysis of CDRs acquired pursuant to the USA FREEDOM Act will rarely, if ever, result in the dissemination of information solely for a law enforcement purpose. 6 intelligence activities (e.g., activities conducted pursuant to Section 1.7(c)(1) of Executive Order 12333, as amended), NSA determines that the suspected terrorist has used a 202 area code phone number to call (301) 555-4321. dŚĞ ƉŚŽŶĞ ŶƵŵďĞƌ ǁŝƚŚ ƚŚĞ ϯϬϭ ĂƌĞĂ ĐŽĚĞ ŝƐ Ă ͞ĨŝƌƐƚ-ŚŽƉ͟ ƌesult. In turn, assume that further analysis or production from the provider(s) reveals (301) 555-4321 was used to call (410) 555-5678. The number with the 410 area code is a ͞ƐĞĐŽŶĚ-ŚŽƉ͟ result. Once the one-ŚŽƉ ƌĞƐƵůƚƐ ĂƌĞ ƌĞƚƌŝĞǀĞĚ ĨƌŽŵ ƚŚĞ E^ ͛Ɛ ŝŶƚĞƌŶĂů ŚŽůĚŝŶŐƐ͕ ƚŚĞ ůŝƐƚ ŽĨ &/^ -approved ƐƉĞĐŝĨŝĐ ƐĞůĞĐƚŝŽŶ ƚĞƌŵƐ͕ ĂůŽŶŐ ǁŝƚŚ E^ ͛Ɛ ŝŶƚĞƌŶĂů ŽŶĞ-hop results, are submitted to the provider(s). The provider(s) respond to the request based on the data within their holdings with CDRs that contain FISC-approved specific selection terms or the one-hop selection term. One-hop returns from providers are placĞĚ ŝŶ E^ ͛Ɛ ŚŽůĚŝŶŐƐ ĂŶĚ ďĞĐŽŵĞ ƉĂƌƚ ŽĨ ƐƵďƐĞƋƵĞŶƚ ƋƵĞƌLJ ƌĞƋƵĞƐƚƐ͕ ǁŚŝĐŚ are executed on a periodic basis. Historical bulk data collected under Section 215 of the USA PATRIOT Act will never be included when querying internal holdings. Absent information to the contrary, NSA must presume that each user of each of the phone numbers in the above example is a U. S. person, since each phone number has a U.S. ĂƌĞĂ ĐŽĚĞ͘ E^ ͛Ɛ &/^ approved minimization procedures for the USA FREEDOM Act prohibit NSA from disseminating any known or presumed U.S. person information that does not constitute foreign intelligence information related to international terrorism or information necessary to understand foreign intelligence information related to international terrorism or assess its importance or is not evidence of a crime. In addition, the minimization procedures require NSA to destroy promptly any CDRs that are determined not to contain foreign intelligence information. The procedures also set a maximum retention period for ZƐ ŽďƚĂŝŶĞĚ ƉƵƌƐƵĂŶƚ ƚŽ ƚŚĞ &/^ ͛Ɛ ŽƌĚĞƌƐ of no more than 5 years after initial delivery to NSA, except that NSA may retain any CDR (or information derived therefrom) that was the basis of a properly approved dissemination of foreign intelligence information.8 8 Note that the minimization procedures also permit NSA to temporarily retain specific CDRs that otherwise would have to be destroyed if DOJ advises NSA in writing that the records are subject to a preservation obligation in pending or anticipated litigation. 7 IV. Privacy and Civil Liberties Analysis Fair Information Practice Principle - Transparency Civil Liberties & Privacy Analysis The Transparency Principle states that organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII). CLPO finds that the robust public debate of the USA FREEDOM Act, as well as the 'ŽǀĞƌŶŵĞŶƚ͛Ɛ ƌĞůĞĂƐĞ ŽĨ ĚĞƚĂŝůĞĚ ŝŶĨŽƌŵĂƚŝŽŶ ĂďŽƵƚ E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ statute, to include release of the minimization procedures in Appendix B of this report, adequately address the Principle of Transparency. The USA FREEDOM Act was preceded by extensive public debate following the President͛Ɛ announcement in March 2014 that he intended to seek legislation to fundamentally alter the telephone metadata program that NSA had been conducting pursuant to Section 215 of the USA PATRIOT Act. On 2 June 2015, the USA FREEDOM Act was passed by Congress and signed into law by the President. The government publicly released substantial information about its planned implementation of the USA &Z KD Đƚ͕ ĂƐ ǁĞůů ĂƐ E^ ͛Ɛ ƉůĂŶƐ ĨŽƌ ĚĂƚĂ ƚŚĂƚ ŚĂĚ ďĞĞŶ ĂĐƋƵŝƌĞĚ ƵŶĚĞƌ ƚŚĞ ŽůĚ ŵĞƚĂĚĂƚĂ ƉƌŽŐƌĂŵ͘9 The USA FREEDOM Act also requires the government to publish certain metrics regarding the ŐŽǀĞƌŶŵĞŶƚ͛Ɛ ƵƐĞ ŽĨ ƚŚĞ ĂŵĞŶĚĞĚ ƵƐŝŶĞƐƐ ZĞĐŽƌĚƐ ĂƵƚŚŽƌŝƚLJ͘ dŚĞ ƉƵƌƉŽƐĞ ŽĨ ƚŚĞ h^ &Z KD Đƚ͛Ɛ mandatory reporting requirements is to provide transparency to the American public. The Office of the DirĞĐƚŽƌ ŽĨ EĂƚŝŽŶĂů /ŶƚĞůůŝŐĞŶĐĞ ;K E/Ϳ ƉůĂŶƐ ƚŽ ƌĞƉŽƌƚ ƚŚĞƐĞ ŵĞƚƌŝĐƐ ǀŝĂ K E/͛Ɛ ĂŶŶƵĂů dƌĂŶƐƉĂƌĞŶĐLJ Report. The key metrics that NSA is obligated to provide are listed below.10 x x The number of targets under each order:11 Defined as the person using the selector. o For example, if a target has a set of four selectors that have been approved, NSA will count one target, not four. Alternatively, if two targets are using one selector that has been approved, NSA will count two targets. The number of unique identifiers used to communicate information collected pursuant to an order:12 Defined as each unique record sent back from the provider(s). 9 See, e.g., Statement of ƚŚĞ KĨĨŝĐĞ ŽĨ ƚŚĞ ŝƌĞĐƚŽƌ ŽĨ EĂƚŝŽŶĂů /ŶƚĞůůŝŐĞŶĐĞ͕ ͞K E/ ŶŶŽƵŶĐĞƐ dƌĂŶƐŝƚŝŽŶ ƚŽ EĞǁ dĞůĞƉŚŽŶĞ DĞƚĂĚĂƚĂ WƌŽŐƌĂŵ͕͟ ĚĂƚĞĚ Ϯϵ EŽǀĞŵďĞƌ ϮϬϭϱ͘ dŚŝƐ ƉƌĞƐƐ ƌĞůĞĂƐĞ ǁĂƐ ĂĐĐŽŵƉĂŶŝĞĚ ďLJ Ă ͞&ĂĐƚ ^ŚĞĞƚ͟ ƚŚĂƚ ĨƵƌƚŚĞƌ ĚĞƐĐƌŝďĞĚ E^ ͛Ɛ ŝmplementation of the new authority. 10 See The USA FREEDOM Act of 2015, §602: ANNUAL REPORTS BY THE GOVERNMENT. 11 Ibid., §603(b)(5)(A). 12 Ibid., §603(b)(5)(B). 8 o x If NSA receives the same record separately, whether from multiple providers or one provider, NSA will count each response separately. The Agency recognizes that E^ ͛Ɛ metrics, therefore, likely will be over-inclusive. The number of search terms that included information concerning a U.S. person and were used to query any database of CDRs obtained under each order:13 Defined as the number of times the USA FREEDOM Act data is queried using a U.S. person query term. /Ŷ ůŝŐŚƚ ŽĨ ƚŚĞ ŐŽǀĞƌŶŵĞŶƚ͛Ɛ ƉƵďůŝĐĂƚŝŽŶ ŽĨ ĚĞƚĂŝůĞĚ ŝŶĨŽƌŵĂƚŝŽŶ ĂďŽƵƚ ƚŚĞ ŶĞǁ procedures and the USA &Z KD Đƚ͛Ɛ ŵĂŶĚĂƚŽƌLJ ƌĞƉŽƌƚŝŶŐ ƌĞƋƵŝƌĞŵĞŶƚƐ, CLPO finds that the Principle of Transparency is satisfied. 13 Ibid., §603(b)(5)(C). 9 Fair Information Practice Principle ʹ Individual Participation Civil Liberties & Privacy Analysis The Principle of Individual Participation states that organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII. Although it is unlikely that an individual target will be notified that NSA used the USA FREEDOM Act to acquire telephone metadata about them, CLPO concludes that this is appropriate under the circumstances. NSA does not release information that would reveal the identities of the specific individuals whose CDRs are targeted for collection pursuant to the USA FREEDOM Act. Frequently, the very fact that the government suspects that a particular person is engaged in international terrorism or that a particular phone number is being used by such a person must be kept secret in the interests of national security. If a target of an international terrorism investigation becomes aware of the investigation, he or she likely will take steps to thwart investigators. The targets of such investigations also attempt to conceal from the government the identities of their contacts. As a consequence, direct individual participation thwarts the ŐŽǀĞƌŶŵĞŶƚ͛Ɛ legitimate need to identify individuals engaged in international terrorism. A less intrusive and more effective means of identifying contacts of individuals engaged in international terrorism is to acquire CDRs. CDRs, per the statute, contain only telephone metadata and not, for example, the contents of any personal commuŶŝĐĂƚŝŽŶ Žƌ ƚŚĞ ĐĂůůĞƌ͛Ɛ ŶĂŵĞ Žƌ ůŽĐĂƚŝŽŶ ŽĨ ĂŶLJ ƉŚŽŶĞ ĐĂůů͘ ZƐ ĂƌĞ ďƵƐŝŶĞƐƐ ƌĞĐŽƌĚƐ ŐĞŶĞƌĂƚĞĚ ďLJ Ă ƉƌŽǀŝĚĞƌ ĨŽƌ ƚŚĞ ƉƌŽǀŝĚĞƌ͛Ɛ ŽǁŶ ďƵƐŝŶĞƐƐ ƵƐĞ. Instead of direct individual participation, the Act requires approval by the FISC (or the Attorney General in emergency situations) before any specific selection term may be used in a query request to the provider(s). In the event of an error, the FISC retains authority to order the government to take corrective action. Other safeguards include rigorous internal and external oversight to ensure full compliance with the law. CLPO concludes that, under the circumstances, the oversight and compliance mechanisms serve as sufficient proxies to satisfy the Principle of Individual Participation. 10 Fair Information Practice Principle ʹ Purpose Specification Civil Liberties & Privacy Analysis The Principle of Purpose Specification provides that organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used. CLPO concludes that E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ h^ &Z KD Đƚ ƐĂƚŝƐĨŝĞƐ ƚŚĞ Principle of Purpose Specification. As noted in the discussion of the Principle of Transparency, the government has publicly released, and ĐŽŶƚŝŶƵĞƐ ƚŽ ƌĞůĞĂƐĞ͕ ŝŶĨŽƌŵĂƚŝŽŶ ĂďŽƵƚ ŝƚƐ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ h^ &Z KD Đƚ͕ ĂƐ ǁĞůů ĂƐ E^ ͛Ɛ plans for data that had been acquired under the old metadata program. This information, including this report, publicly describes how NSA is implementing the USA FREEDOM Act and also articulates the counterterrorism purpose for the authority. This information is contained in the statute itself, Congressional reports and debate regarding the statute, the FISC-approved minimization procedures, and other publicly released information. Therefore, CLPO finds that the Principle of Purpose Specification has been satisfied. 11 Fair Information Practice Principle ʹ Data Minimization Civil Liberties & Privacy Analysis The Principle of Data Minimization states that organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s). >WK ĐŽŶĐůƵĚĞƐ ƚŚĂƚ E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ h^ &Z KD Đƚ ƐĂƚŝƐĨŝĞƐ ƚŚĞ Principle of Data Minimization. The new authority explicitly minimizes the amount and type of data accessible to NSA. NSA no longer collects CDRs in bulk under FISA. Under the USA FREEDOM Act, only telephone metadata (not, for example, the contents of aŶLJ ƉĞƌƐŽŶĂů ĐŽŵŵƵŶŝĐĂƚŝŽŶ Žƌ ƚŚĞ ĐĂůůĞƌ͛Ɛ ŶĂŵĞ or location of any phone call) may be acquired. The statute further limits the production of CDRs to those that are FISC-approved and those that are no more than two hops from a FISC-approved specific selection term. Appendix B to this report contains the minimization procedures that were adopted by the Attorney General and approved by the FISC ƚŽ ŐŽǀĞƌŶ E^ ͛Ɛ ŚĂŶĚůŝŶŐ ŽĨ ƚŚĞ ƚĞůĞƉŚŽŶĞ ŵĞƚĂĚĂƚĂ ƚŚĂƚ E^ ĂĐƋƵŝƌĞƐ ƉƵƌƐƵĂŶƚ ƚŽ ƚŚĞ h^ FREEDOM Act. These minimization procedures prohibit NSA from reporting any known or presumed U.S. person information that does not constitute foreign intelligence information related to international terrorism or information necessary to understand foreign intelligence information related to international terrorism or assess its importance or is not evidence of a crime. In addition, the minimization procedures require NSA to destroy promptly any CDRs that are determined not to contain foreign intelligence information. The procedures set a maximum retention period for ZƐ ŽďƚĂŝŶĞĚ ƉƵƌƐƵĂŶƚ ƚŽ ƚŚĞ &/^ ͛Ɛ ŽƌĚĞƌƐ of no more than 5 years after initial delivery to NSA, except that NSA may retain any CDR (or information derived therefrom) that was the basis of a properly approved dissemination of foreign intelligence information. In addition, the procedures contain detailed oversight and compliance responsibilities. In short, CLPO finds that the Principle of Data Minimization is satisfied ďLJ E^ ͛Ɛ USA FREEDOM Act minimization procedures, as well as the limitation in the statute itself that focuses solely on CDRs and limits production of CDRs to those that are no more than two hops from a FISC-approved specific selection term. 12 Fair Information Practice Principle ʹ Use Limitation Civil Liberties & Privacy Analysis The Principle of Use Limitation provides that organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected. >WK ĐŽŶĐůƵĚĞƐ ƚŚĂƚ E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ h^ &Z KD Đƚ ƐĂƚŝƐĨŝĞƐ ƚŚĞ Principle of Use Limitation. The restrictions articulated in the USA FREEDOM Act and the FISC-approved minimization procedures adopted by the Attorney General and described above in the Principle of Data Minimization provide important use limitations. NSA is required to follow the detailed minimization procedures to govern its handling of telephone metadata acquired pursuant to the USA FREEDOM Act. The minimization procedures outline the counterterrorism purpose for collection of the metadata. In addition, NSA cannot acquire CDRs under the procedures unless the Agency starts with a specific selection term related to an open FBI investigation and for which there is RAS to believe the selection term is associated with a foreign power, or an agent of a foreign power, engaged in international terrorism or activities in preparation therefore. Only the FISC, or the Attorney General in an emergency, is authorized under the statute to approve this RAS determination. NSA has also implemented technical controls to help ensure that it only acquires CDRs from the provider(s) that are within no more than two hops from a RAS-approved specific selection term. In addition, once CDRs have been received and stored by NSA, they will be available for analysis and dissemination related to foreign powers or their agent engaged in international terrorism. Analysts will require appropriate and adequate training, and must have both an international terrorism mission purpose and a need to know in order to be provided access to the CDRs obtained through the USA FREEDOM Act. Analyst queries of records acquired under the USA FREEDOM Act will be intended to determine or identify persons of foreign intelligence interest who may be engaged in international terrorism. All queries will be subject to post-query auditing. The USA FREEDOM Act data will be used to produce intelligence reports, following reporting and minimization procedures. As noted previously, in order for NSA to disseminate U.S. person information based upon the USA FREEDOM Act results, a determination must first be made that the information is foreign intelligence information related to international terrorism, or is necessary to understand foreign intelligence information related to international terrorism or assess its importance. NSA is also permitted to disseminate CDR information concerning U.S. persons or the identity of a U.S. person if the information is reasonably believed to contain evidence that a crime has been, is being, or is about to be committed, provided that the dissemination is for law enforcement purposes. Therefore, the Principle of Use Limitation is satisfied. 13 Fair Information Practice Principle ʹ Data Quality and Integrity Civil Liberties & Privacy Analysis The Principle of Data Quality and Integrity provides that organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete. >WK ĐŽŶĐůƵĚĞƐ ƚŚĂƚ E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ h^ &Z KD Đƚ ƐĂƚŝƐĨŝĞƐ ƚŚĞ Principle of Data Quality and Integrity. Each CDR is a business record generated by a provider for the provider͛s own business use. NSA plays no role in ensuring that the provider-generated CDRs accurately reflect the calling events that occurred ŽǀĞƌ ƚŚĞ ƉƌŽǀŝĚĞƌ͛s infrastructure, but the provider(s) have their own policies, practices, and incentives for ensuring the accuracy of their records͘ E^ ͛Ɛ ƌĞƋƵŝƌĞŵĞŶƚƐ ĨŽƌ ĞŶƐƵƌŝŶŐ ĂĐĐƵƌĂƚĞ͕ ƌĞůĞǀĂŶƚ͕ ƚŝŵĞůLJ͕ and complete CDRs begin when NSA submits query requests to the provider(s), and the provider(s), in response, produce CDRs to the Agency. E^ ͛Ɛ minimization procedures for the telephone metadata acquired pursuant to the USA FREEDOM Act require the Agency to inspect CDRs received from a ƉƌŽǀŝĚĞƌ ƚŚƌŽƵŐŚ ŵĂŶƵĂů ĂŶĚͬŽƌ ĂƵƚŽŵĂƚĞĚ ŵĞĂŶƐ ƚŽ ĐŽŶĨŝƌŵ ƚŚĂƚ ƚŚĞ ZƐ ĂƌĞ ƌĞƐƉŽŶƐŝǀĞ ƚŽ ƚŚĞ &/^ ͛Ɛ production order. The minimization procedures require NSA to destroy promptly any CDRs produced ƚŚĂƚ ĂƌĞ ĚĞƚĞƌŵŝŶĞĚ ƚŽ ďĞ ŽƵƚƐŝĚĞ ƚŚĞ ƐĐŽƉĞ ŽĨ ƚŚĞ &/^ ͛Ɛ ĂƉƉůŝĐĂďůĞ ŽƌĚĞƌ͘ NSA has worked closely with the provider(s) to ensure that the provider(s) produce records in a useful format and in a timely manner, as required by the USA FREEDOM Act. To this end, NSA and the provider(s) have conducted a significant amount of systems engineering and testing to ensure that CDRs produced under the USA FREEDOM Act are accurate, relevant, timely, and complete. NSA continually processes and manages results returned from the provider(s). Thus, E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ ŶĞǁ ŵĞƚĂĚĂƚĂ authority includes three important components: 1) NSA will de-duplicate and re-submit requests to the provider(s) on a periodic basis. 2) NSA will periodically query its internal holdings with FISC-approved specific selection terms to obtain new one-hop selectors. These new one-hop results will then be submitted to the provider(s) on a periodic basis. 3) NSA will manage CDR results such that results do not exceed the two-hop maximum specified by the USA FREEDOM Act. In light of these efforts, CLPO finds that the Principle of Data Quality and Integrity is satisfied. 14 Fair Information Practice Principle ʹ Security Civil Liberties & Privacy Analysis The Principle of Security states that organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. >WK ĐŽŶĐůƵĚĞƐ ƚŚĂƚ E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ h^ &Z KD Đƚ ƐĂƚŝƐĨŝĞƐ ƚŚĞ Principle of Security. E^ ͛Ɛ ŵŝŶŝŵŝnjĂƚŝŽŶ procedures for the USA FREEDOM Act require the Agency to process, analyze, and store the CDRs produced by provider;ƐͿ ǁŝƚŚŝŶ ƐĞĐƵƌĞ ŶĞƚǁŽƌŬƐ ƵŶĚĞƌ E^ ͛Ɛ ĐŽŶƚƌŽů͘ The minimization procedures further require that NSA apply unique markings to the CDRs so that NSA can restrict access to authorized personnel who have received appropriate and adequate training on the requirements of E^ ͛Ɛ h^ &Z KD Đƚ ŵŝŶŝŵŝnjĂƚŝŽŶ ƉƌŽĐĞĚƵƌĞƐ͘ E^ ŚĂƐ ĂĐĐŽƵŶƚĞĚ ĨŽƌ ƚŚĞƐĞ ƐĞĐƵƌŝƚLJ ƌĞƋƵŝƌĞŵĞŶƚƐ in its implementation of the USA FREEDOM Act telephone metadata procedures. CLPO finds that the Principle of Security ŝƐ ƐĂƚŝƐĨŝĞĚ ďLJ E^ ͛Ɛ security controls. 15 Fair Information Practice Principle ʹ Accountablility and Auditing Civil Liberties & Privacy Analysis The Principle of Accountablility and Auditing states that organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements. >WK ĐŽŶĐůƵĚĞƐ ƚŚĂƚ E^ ͛Ɛ ŝŵƉůĞŵĞŶƚĂƚŝŽŶ ŽĨ ƚŚĞ h^ &Z KD Đƚ ƐĂƚŝƐĨŝĞƐ ƚŚĞ Principle of Accountablility and Auditing. E^ ͛Ɛ ŵŝŶŝŵŝnjĂƚŝŽŶ ƉƌŽĐĞĚƵƌĞƐ ĨŽƌ ƚŚĞ h^ &Z KD Đƚ contain significant compliance and oversight requirements, including those regarding training, the implementation and monitoring of software controls used to govern access to the CDRs the Agency obtains under the USA FREEDOM Act, and external oversight conducted by DOJ. As part of its implementation of the USA FREEDOM Act metadata procedures, NSA is also applying its longstanding internal intelligence oversight mechanisms to this new authority͘ DŽƌĞŽǀĞƌ͕ ŽŶŐƌĞƐƐ ĂŶĚ ƚŚĞ &/^ ĂůƐŽ ĞdžĞƌĐŝƐĞ ƐŝŐŶŝĨŝĐĂŶƚ ŽǀĞƌƐŝŐŚƚ ŽǀĞƌ E^ ͛Ɛ implementation of the authority, to include significant reporting requirements. With respect to training, in particular, all analysts who require access to the USA FREEDOM Act results must successfully complete training tailored to the USA FREEDOM Act statute, FISC-approved applications, and FISC-approved and Attorney General-adopted minimization procedures. This tailored USA FREEDOM Act training consists of modules that cover the USA FREEDOM Act; data handling requirements (including sharing and dissemination) from the FISC-approved minimization procedures applicable to the USA FREEDOM Act orders; incident reporting; purge requirements, and any special requirements imposed by the FISC. Technical personnel will be trained based on their roles and functions. Those personnel who maintain and develop NSA systems that process the USA FREEDOM Act results or process the USA FREEDOM Act data for data fidelity purposes will receive training specific to their work role. CLPO finds the key components of the USA FREEDOM Act training crucial to educate and inform personnel. In particular, CLPO finds the training of technical personnel particularly important in order to uphold not only the Principles of Accountablility and Auditing, but also, as noted elsewhere in this report, the Principles of Data Minimization, Security, and Use Limitation. CLPO finds that, taken together, E^ ͛Ɛ ƚƌĂŝŶŝŶŐ͕ compliance, and oversight mechanisms satisfy the Principle of Accountablility and Auditing. 16 Appendix A: Fair Information Practice Principles (FIPPs)14 The Fair Information Practice Principles (FIPPs) are the widely accepted framework of defining principles to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy. The FIPPs are: x x x x x x x x 14 Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII). Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII. Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used. Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s). Use Limitation: Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected. Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete. Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. Accountablility and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements. See ͞dŚĞ EĂƚŝŽŶĂů ^ƚƌĂƚĞŐLJ ĨŽƌ dƌƵƐƚĞĚ /ĚĞŶƚŝƚŝĞƐ ŝŶ LJďĞƌƐƉĂĐĞ͕͟ ƉƉĞŶĚŝdž A (2011). 17