Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) SEMIANNUAL ASSESSMENT OF COMPLIANCE WITH PROCEDURES AND GUIDELINES ISSUED PURSUANT TO SECTION 702 OF THE FOREIGN INTELLIGENCE SURVEILLANCE ACT, SUBMITTED BY THE ATTORNEY GENERAL AND THE DIRECTOR OF NATIONAL INTELLIGENCE Reporting Period: December 1, 2012 – May 31, 2013 March 2014 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) SEMIANNUAL ASSESSMENT OF COMPLIANCE WITH PROCEDURES AND GUIDELINES ISSUED PURSUANT TO SECTION 702 OF THE FOREIGN INTELLIGENCE SURVEILLANCE ACT, SUBMITTED BY THE ATTORNEY GENERAL AND THE DIRECTOR OF NATIONAL INTELLIGENCE March 2014 TABLE OF CONTENTS (U) Executive Summary 3 (U) Section 1: Introduction 4 (U) Section 2: Oversight of the Implementation of Section 702 6 (U) I. (U) II. (U) III. (U) IV. (U) V. (U) VI. Joint Oversight of NSA Joint Oversight of CIA Joint Oversight of FBI Joint Oversight of NCTC Interagency/Programmatic Oversight Other Compliance Efforts (U) Section 3: Trends in Section 702 Targeting and Minimization (U) I. (U) II. (U) III. Trends in NSA Targeting and Minimization Trends in FBI Targeting Trends in CIA Minimization (U) Section 4: Compliance Assessment – Findings (U) I. (U) II. (U) III. (U) IV. (U) V. Compliance Incidents – General Review of Compliance Incidents – NSA Targeting and Minimization Procedures Review of Compliance Incidents – CIA Minimization Procedures Review of Compliance Incidents – FBI Targeting and Minimization Procedures Review of Compliance Incidents – Provider Incidents (U) Section 5: Conclusion 6 8 9 12 12 13 17 17 21 23 25 25 31 40 41 42 42 (U) Appendix A A-1 2 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, Submitted by the Attorney General and the Director of National Intelligence March 2014 Reporting Period: December 1, 2012 – May 31, 2013 (U) EXECUTIVE SUMMARY (U) The FISA Amendments Act of 2008 (hereinafter “FAA”) requires the Attorney General and the Director of National Intelligence (DNI) to assess compliance with certain procedures and guidelines issued pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. § 1801 et seq., as amended, (hereinafter “FISA” or “the Act”) and to submit such assessments to the Foreign Intelligence Surveillance Court (FISC) and relevant congressional committees at least once every six months. This report sets forth the Department of Justice, National Security Division (NSD) and Office of Director of National Intelligence’s (ODNI) tenth joint compliance assessment under Section 702, covering the period December 1, 2012, through May 31, 2013 (hereinafter the “reporting period”). This report accompanies the Semiannual Report of the Attorney General Concerning Acquisitions under Section 702 of the Foreign Intelligence Surveillance Act, which was submitted as required by Section 707(b)(1) of FISA (hereinafter “the Section 707 Report”) on September 6, 2013 and September 9, 2013, and covers the same reporting period. (U) Compliance assessment activities have been jointly conducted by NSD and ODNI. Specifically, the joint oversight team consisted of members from NSD, ODNI’s Civil Liberties and Privacy Office (CLPO), ODNI’s Office of General Counsel (OGC), and ODNI’s Office of the Deputy Director for Intelligence Integration/Mission Integration Division (DD/II/MID). NSD and ODNI have assessed the oversight process used since Section 702 was implemented in 2008, and have identified improvements in the Intelligence Community personnel’s awareness of and compliance with the restrictions imposed by the statute, targeting procedures, minimization procedures and the Attorney General Guidelines. (U) The joint oversight team has found that a vast majority of compliance incidents reported in the Section 707 Reports have been self-identified by the agencies, sometimes as a result of preparation for the joint reviews. In discussing compliance incidents in this Semiannual Assessment (hereinafter also referred to as the Joint Assessment), the focus is on incidents that have the greatest potential to impact United States persons’ privacy interests; intra- and interagency communications; the effect of human errors on the conduct of acquisition; and the effect of technical issues on the conduct of acquisition. (U) This Joint Assessment finds that the agencies have continued to implement the procedures and follow the guidelines in a manner that reflects a focused and concerted effort by agency personnel to comply with the requirements of Section 702. The personnel involved in implementing the authorities are appropriately focused on directing their efforts at non-United States persons reasonably believed to be located outside the United States for the purpose of acquiring foreign intelligence information. Processes are in place to implement these authorities and to impose internal controls for compliance and verification purposes. The compliance incidents 3 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN which occurred during the reporting period represent a very small percentage of the overall collection activity, which has increased from the last Joint Assessment. Individual incidents, however, can have broader implications, as further discussed herein and in the Section 707 Report. Based upon a review of these compliance incidents, the joint team believes that none of these incidents represent an intentional attempt to circumvent or violate the Act, the targeting or minimization procedures, or the Attorney General’s Acquisition Guidelines. (U) SECTION 1: INTRODUCTION (U) The FISA Amendments Act of 2008, relevant portions of which are codified at 50 U.S.C. §1881 – 1881g (hereinafter “FAA”), requires the Attorney General and the Director of National Intelligence (DNI) to assess compliance with certain procedures and guidelines issued pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. § 1801 et seq., as amended (hereinafter “FISA” or “the Act”), and to submit such assessments to the Foreign Intelligence Surveillance Court (FISC) and relevant congressional committees at least once every six months. As required by the Act, a team of oversight personnel from the Department of Justice’s National Security Division (NSD) and the Office of the Director of National Intelligence (ODNI) have conducted compliance reviews to assess whether the authorities under Section 702 of FISA (hereinafter “Section 702”) have been implemented in accordance with the applicable procedures and guidelines, discussed herein. This report sets forth NSD and ODNI’s tenth joint compliance assessment under Section 702, covering the period December 1, 2012, through May 31, 2013 (hereinafter the “reporting period”).1 (U) Section 702 requires that the Attorney General, in consultation with the DNI, adopt targeting and minimization procedures, as well as guidelines. A primary purpose of the guidelines is to ensure compliance with the limitations set forth in subsection (b) of Section 702, which are as follows: An acquisition authorized under subsection (a)— (1) may not intentionally target any person known at the time of acquisition to be located in the United States; (2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States; (3) may not intentionally target a United States person reasonably believed to be located outside the United States; (4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and (5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States. These guidelines, the Attorney General’s Guidelines for the Acquisition of Foreign Intelligence Information Pursuant to the Foreign Intelligence Surveillance Act of 1978, as amended (hereinafter 1 (U) This report accompanies the Semiannual Report of the Attorney General Concerning Acquisitions under Section 702 of the Foreign Intelligence Surveillance Act, which was previously submitted on September 6, 2013, and September 9, 2013, as required by Section 707(b)(1) of FISA, and covers the same reporting period. 4 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN “the Attorney General’s Acquisition Guidelines”), were adopted by the Attorney General in consultation with the DNI on August 5, 2008. (TS//SI//NF) During this reporting period, the Government acquired foreign intelligence information under Attorney General and DNI authorized Section 702(g) certifications. (U) Three agencies are primarily involved in implementing Section 702: the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Central Intelligence Agency (CIA). An overview of how these agencies implement the authority appears in Appendix A of this assessment. Additionally, the other agency involved in implementing Section 702 is the National Counterterrorism Center (NCTC), which has a limited role, as reflected in the “Minimization Procedures Used by NCTC in connection with Information Acquired by the FBI pursuant to Section 702 of FISA, as amended.”2 This report contains the joint oversight team’s assessment of NCTC’s compliance with its minimization procedures as discussed in Section 2.IV as well as any incidents of noncompliance with the NCTC minimization procedures. (U) Section Two of this Joint Assessment provides a comprehensive overview of oversight measures the Government employs to ensure compliance with the targeting and minimization procedures, as well as the Attorney General’s Acquisition Guidelines. Section Three compiles and presents data acquired from the joint oversight team’s compliance reviews in order to provide insight into the overall scope of the Section 702 program, as well as trends in targeting, reporting, and the minimization of United States person information. Section Four describes compliance trends. All of the specific compliance incidents for the reporting period have been previously described in detail in the Section 707 Report. As with the prior Joint Assessments, some of those compliance incidents are analyzed here to determine whether there are patterns or trends that might 2 (U) Under these limited minimization procedures, NCTC is not authorized to receive unminimized Section 702 data. Rather, these procedures recognize that, in light of NCTC’s statutory counterterrorism role and mission, NCTC has been provided access to certain FBI systems containing minimized Section 702 information, and prescribe how NCTC is to treat that information. For example, because NCTC is not a law enforcement agency, it may not receive disseminations of Section 702 information that is evidence of a crime, but which has no foreign intelligence value; accordingly, NCTC’s minimization procedures require in situations in which NCTC personnel discover purely law enforcement information with no foreign intelligence value in the course of reviewing minimized foreign intelligence information that the NCTC personnel either purge that information (if the information has been ingested into NCTC systems) or not use, retain, or disseminate the information (if the information has been viewed in FBI systems). 5 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN indicate underlying causes that could be addressed through additional measures, and to assess whether the agency involved has implemented processes to prevent recurrences. (U) In summary, the joint oversight team finds that the agencies have continued to implement the procedures and follow the guidelines in a manner that reflects a focused and concerted effort by agency personnel to comply with the requirements of Section 702 during this reporting period. As in the prior Joint Assessments, the joint team has not found indications in the compliance incidents that have been reported or otherwise identified of any intentional or willful attempts to violate or circumvent the requirements of the Act. The number of compliance incidents remains small, particularly when compared with the total amount of targeting and collection activity. To reduce the number of future compliance incidents, the Government will continue to focus on measures to improve communications, training, and monitoring of collection systems, as well as monitor purge practices and withdrawal of disseminated reports as may be required.3 Further, the joint oversight team will also monitor agency practices to ensure appropriate remediation steps are taken to prevent, whenever possible, reoccurrences of the types of compliance incidents discussed herein and in the Section 707 Report. (U) SECTION 2: OVERSIGHT OF THE IMPLEMENTATION OF SECTION 702 (U) The implementation of Section 702 is a multi-agency effort. As described in detail in Appendix A, NSA and FBI each acquire certain types of data pursuant to their own Section 702 targeting procedures. NSA, FBI, and CIA4 each handle Section 702-acquired data in accordance with their own minimization procedures. There are differences in the way each agency implements its procedures resulting from unique provisions in the procedures themselves, differences in how these agencies utilize Section 702-acquired data, and efficiencies from using preexisting systems to implement Section 702 authorities. Because of these differences in practice and procedure, there are corresponding differences in both the internal compliance programs each agency has developed and in the external oversight programs conducted by NSD and ODNI. (U) A joint oversight team has been assembled to conduct compliance assessment activities, consisting of members from NSD’s Office of Intelligence (OI), ODNI’s Civil Liberties and Privacy Office (CLPO), ODNI’s Office of General Counsel (ODNI OGC), and ODNI’s Office of the Deputy Director for Intelligence Integration/Mission Integration Division (ODNI DD/II/MID). The team members play complementary roles in the review process. The following describes the oversight activities of the joint team, the results of which, in conjunction with the internal oversight conducted by the reviewed agencies, provide the basis for this Joint Assessment. (U) I. Joint Oversight of NSA (U) Under the process established by the Attorney General and Director of National Intelligence’s certifications, all Section 702 targeting is initiated pursuant to the NSA’s targeting procedures. Additionally, NSA is responsible for conducting post-tasking checks of all Section 3 (U) The previous Assessment noted that, in November 2012, the NSA Office of Inspector General (OIG) shared with NSD and ODNI the results of its study of NSA’s management controls of its Section 702 program and that the NSA OIG subsequently revised its study in March 2013. Relevant information resulting from the review is discussed below. 4 (S//NF) As discussed herein, CIA receives Section 702-acquired data from NSA and FBI. 6 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN 702-tasked communication facilities5 once collection begins. NSA must also minimize its collection in accordance with its minimization procedures. Each of these responsibilities is detailed in Appendix A. Given its central role in the Section 702 process, NSA has devoted substantial oversight and compliance resources to monitoring its implementation of the Section 702 authorities. NSA’s internal oversight and compliance mechanisms are further described in Appendix A. (U) NSD and ODNI’s joint oversight of NSA’s implementation of Section 702 consists of periodic compliance reviews, which the NSA targeting procedures require,6 as well as the investigation and reporting of specific compliance incidents. During this reporting period, NSD and ODNI conducted the following onsite reviews at NSA: Figure 1: (U) NSA Reviews7 Date of Review February 13, 2013 April 23, 2013 June 17, 2013 Taskings/Minimization Reviewed December 1, 2012 – January 31, 2013 February 1, 2013 – March 31, 2013 April 1, 2013 – May 31, 2013 (U) Reports for each of these reviews, which document the relevant time period of the review, the number and types of communication facilities tasked, the types of information that NSA relied upon, and a detailed summary of the findings for that review period, have been provided to the congressional committees with the Section 707 Report, as required by Section 707(b)(1)(F) of FISA. (U) The review process for NSA targeting begins well before the onsite review. Prior to each review, NSA electronically sends the tasking record (known as a tasking sheet) for each facility tasked during the review period to NSD and ODNI. Members of the joint oversight team review tasking sheets and then NSD prepares a detailed report of the findings, which they share with the ODNI members of the review team. During this initial review, NSD attorneys determine whether the tasking sheets meet the documentation standards required by NSA’s targeting procedures and provide sufficient information for the reviewers to ascertain the basis for NSA’s foreignness determinations. For those tasking sheets that, on their face, meet the standards and provide sufficient information, no further supporting documentation is requested. The joint oversight team then identifies the tasking sheets that, without further review of the cited documentation, did not provide sufficient information, and either sets forth its questions for each facility or requests that NSA provide the cited documentation for review. (U) During the onsite review, the joint oversight team examines the cited documentation underlying these identified tasking sheets, together with NSA Signals Intelligence Directorate (SID) Oversight and Compliance personnel, NSA attorneys, and other NSA personnel as required, to ask 5 (U) Section 702 authorizes the targeting of non-United States persons reasonably believed to be located outside the United States. This targeting is effectuated by tasking communication facilities (also referred to as “selectors”), including but not limited to telephone numbers and electronic communications accounts, to Section 702 electronic communication service providers. A fuller description of the Section 702 targeting process may be found in the Appendix. 6 (U) NSA’s targeting procedures require that the onsite reviews occur approximately every two months. 7 (S) The Applicable Certifications for these reviews were 7 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN questions, identify issues, clarify ambiguous entries, and provide guidance on areas of potential improvement. Interaction continues following the onsite reviews in the form of electronic and telephonic exchanges to answer questions and clarify issues. (U) The joint oversight team also reviews NSA’s minimization of Section 702-acquired data. The team reviews a large sample of the serialized reports that NSA has disseminated and identified as containing Section 702-acquired United States person information. NSD and ODNI also review a sample of NSA disseminations to certain foreign government partners made outside of its serialized reporting process. These disseminations consist of information that NSA has evaluated for foreign intelligence and minimized, but which may not have been translated into English. In addition to the dissemination review, NSD and ODNI also review NSA’s querying of unminimized Section 702-acquired communications using United States person identifiers. (U) The joint oversight team additionally investigates and reports incidents of noncompliance with the NSA targeting and minimization procedures, as well as with the Attorney General Acquisition Guidelines. While some of these incidents may be identified during the reviews, most are identified by NSA analysts or by NSA’s internal compliance program. NSA is also required to report certain events that may not be compliance incidents (e.g., NSA must report any instance in which a targeted individual is found to be located in the United States, a circumstance which is only a compliance incident if NSA knew or should have known the target was in the United States during the collection period), but the report of which may lead to the discovery of an underlying compliance incident. Investigations of all of these incidents often result in requests for supplemental information. All compliance incidents identified by these investigations are reported to the congressional committees in the Section 707 Report, and to the FISC through quarterly reports or individualized notices. (U) II. Joint Oversight of CIA (U) As further described in detail in Appendix A, although CIA does not directly engage in targeting, it does nominate potential Section 702 targets to NSA. Because CIA nominates potential Section 702 targets to NSA, the joint oversight review team conducts onsite visits at CIA and the results of these visits are included in the bimonthly NSA review reports discussed above. CIA has established internal compliance mechanisms and procedures to oversee proper implementation of its Section 702 authorities.8 (S//NF) The joint oversight review team conducts these onsite visits at CIA because as discussed above, the results of these visits are included in the bimonthly NSA review reports. (U) NSD and ODNI also conduct periodic compliance reviews of CIA’s application of its minimization procedures approximately once every two months. For this reporting period, NSD and ODNI conducted the following onsite reviews at CIA: 8 (S//NF) These processes are further described in Appendix A. 8 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Figure 2: (U) CIA Reviews Date of Visit February 27, 2013 April 30, 2013 June 26, 2013 Minimization Reviewed December 31, 2012 – January 31, 2013 February 1, 2013 – March 31, 2013 April 1, 2013 – May 31, 2013 Reports for each of these reviews have previously been provided to the congressional committees with the Section 707 Report, as required by Section 707(b)(1)(F) of FISA. (U) As a part of the onsite reviews, the joint oversight team examines documents related to CIA’s retention, dissemination, and querying of Section 702-acquired data. The team reviews a sample of communications acquired under Section 702 and identified as containing United States person information that have been minimized and retained by CIA. Reviewers ensure that communications have been properly minimized and discuss with the analyst issues involving the proper application of the minimization procedures. The team also reviews all disseminations of information acquired under Section 702 that CIA identified as potentially containing United States person information. NSD and ODNI also review CIA’s written justifications for all queries using United States person identifiers of the content of unminimized Section 702-acquired communications. (U) In addition to the bimonthly reviews, the joint oversight team also investigates and reports incidents of noncompliance with the CIA minimization procedures and/or the Attorney General Acquisition Guidelines.9 Investigations are coordinated through the CIA FISA Program Office and CIA OGC, and when necessary, may involve requests for further information, meetings with CIA legal, analytical, and/or technical personnel, or the review of source documentation. All compliance incidents identified by these investigations are reported to the congressional committees in the Section 707 Report, and to the FISC through quarterly reports or individualized notices. (U) III. Joint Oversight of FBI (S//NF) FBI fulfills three separate roles in the implementation of Section 702. First, FBI is authorized under the certifications to acquire foreign intelligence information from electronic communication service providers, by targeting facilities that NSA designates for such acquisition (hereinafter “Designated Accounts”). must be conducted pursuant to FBI’s targeting procedures. Second, FBI conveys from the electronic communications service providers for processing in accordance with the agencies’ FISC-approved minimization procedures. Similarly, FBI also provides 10 Third, FBI may receive unminimized Section 702-acquired communications. Such communications must be minimized pursuant to FBI’s Section 702 9 (S//NF) Insofar as CIA nominates facilities for tasking and reviews content that may indicate that a target is located in the United States or is a United States person, some investigations of possible noncompliance with the NSA targeting and minimization procedures can also involve CIA. 10 9 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN minimization procedures. Like CIA, FBI has a process for nominating to NSA new facilities to be targeted pursuant to Section 702. During this reporting period, FBI continued to expand this nominating process to its FBI field offices. (U) FBI’s internal compliance program and NSD and ODNI’s oversight program are designed to ensure FBI’s compliance with statutory and procedural requirements for each of these three roles. Each of the roles discussed above, as well as the FBI’s internal compliance program, are set forth in further detail in Appendix A. (S//NF) Because the review of FBI’s targeting is a manual process, NSD and ODNI generally conduct monthly reviews although FBI’s targeting procedures require that NSD and ODNI conduct periodic reviews of FBI’s compliance with its targeting and minimization procedures at least once every 60 days. For this reporting period, onsite reviews were conducted on the following dates: Figure 3: (U) FBI Reviews11 Date of Visit March 7, 2013 March 27, 2013 April 29, 2013 May 30, 2013 June 19, 2013 July 8, 2013 Tasking and Minimization Reviewed December 2012 taskings January 2013 taskings; December 1, 2012 – January 31, 2013 minimization February 2013 taskings March 2013 taskings; February 1, 2013 – March 31, 2013 minimization April 2013 taskings May 2013 taskings; April 1, 2013 – May 31, 2013 minimization Reports for each of these reviews have previously been provided to the congressional committees with the Section 707 Report, as required by Section 707(b)(1)(F) of FISA. (S//NF) In conducting the targeting review, the joint oversight team reviews the targeting checklist completed by the FBI analysts and supervisory personnel involved in the process, together with supporting documentation. The joint oversight team reviews every file identified by FBI for The joint oversight team also reviews a sample of other files to identify any other potential compliance issues. FBI analysts and supervisory personnel are available to answer questions, and provide supporting documentation. The joint oversight team provides guidance on areas of potential improvement. (S//NF) With respect to minimization, the joint oversight team reviews two categories of documents related to FBI’s application of its minimization procedures. The team reviews a sample of communications that FBI has marked in its systems as both meeting the retention standards and containing United States person information. The team also reviews all disseminations of information acquired under Section 702 that FBI identified as potentially containing United States person information. In addition, during its FISA Title I and Title III reviews at FBI field offices, 11 (S) The Applicable Certifications for these reviews were 10 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN NSD reviews FBI’s use of United States person identifiers to query raw FISA-acquired data, including Section 702-acquired data. (U) During this reporting period, NSD expanded it minimization reviews in FBI field offices, which traditionally reviewed FBI’s compliance with minimization of information acquired pursuant to Titles I and III of FISA, to also examine the retention and dissemination decisions made by FBI field office personnel with respect to Section 702-acquired data. As detailed in the attachments to the Attorney General’s Section 707 Report, NSD conducted minimization reviews at eight FBI field offices between February 1, 2013, through May 31, 2013 and reviewed ODNI participated in one of these reviews,12 and received written summaries regarding any issues discovered in the other reviews. (S//NF) NSD’s review of field offices coincided with FBI’s broadening of the use of Section 702-acquired data at these field offices. In general, NSD found that agents understood and were properly applying the requirements of the minimization procedures. Out of cases reviewed, however, NSD found that cases there were instances of non-compliance with FBI’s Section 702 minimization procedures and/or the FBI’s Standard Minimization Procedures Policy Implementation Guidelines.13 NSD will continue to conduct minimization reviews in FBI field offices in order to identify and remediate any incidents of non-compliance. ODNI plans to continue to accompany NSD during the minimization reviews of the FBI Washington and Baltimore field offices and is exploring the feasibility of joining NSD on reviews of other FBI field offices. (S//NF) Separately, in order to evaluate acquisition and provision of the joint oversight team conducts an annual process review with FBI’s technical personnel to ensure that these activities comply with applicable minimization procedures. The most recent annual process review occurred in May 2013. (S//NF) Additionally, and as further described in detail in Appendix A, FBI nominates potential Section 702 targets to NSA. FBI has established internal compliance mechanisms and procedures to oversee proper 12 (U) ODNI joins NSD’s on these reviews when the FBI field offices are located in or within reasonable driving distance of the Washington, D.C. area (e.g. the Washington Field Office and the Baltimore Field Office). 13 (S//NF) the cases involved FBI agents who did not have the appropriate administrative access to apply official minimization markings in an FBI system that contains unminimized Section 702-acquired information. additional cases, FBI agents had the proper access, but acquired communications were not marked properly by the FBI agents. Although the communications were not marked properly, NSD’s review confirmed that the communications met the standard minimization procedures requirement that the communications either reasonably appeared to be foreign intelligence information, were necessary to understand foreign intelligence information or to assess its importance, or contained evidence of a crime. Separately, the cases contained disseminations that did not contain the proper FISA warning statement or caveat required by 50 U.S.C. §1806(b). In each case, NSD worked with the FBI personnel to rectify the errors. 11 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN implementation of its Section 702 authorities. These processes are further described in Appendix A. (U) The joint oversight team also investigates potential incidents of noncompliance with the FBI targeting and minimization procedures, the Attorney General’s Acquisition Guidelines, or other agencies’ procedures in which FBI is involved. These investigations are coordinated with FBI OGC and may involve requests for further information, meetings with FBI legal, analytical, and/or technical personnel, or review of source documentation. All compliance incidents identified by these investigations are reported to the congressional committees in the Section 707 Report, and to the FISC through quarterly reports or individualized notices. (U) IV. Joint Oversight of NCTC (U) As noted above, NCTC is also involved in implementing Section 702, albeit in a limited role, as reflected in the “Minimization Procedures Used by NCTC in connection with Information Acquired by the FBI pursuant to Section 702 of FISA, as amended.” Under these limited minimization procedures, NCTC is not authorized to receive unminimized Section 702 data but NCTC has been provided access to certain FBI systems containing minimized Section 702 information. As part of the joint oversight of NCTC to ensure compliance with these procedures, on May 28, 2013, NSD and ODNI conducted a review of NCTC’s access, receipt, and processing of Section 702 information received from FBI. (S) During the oversight review, the joint oversight team reviewed NCTC’s FISA training , including its requirement that all of its users who may have access to FISC-acquired information undergo such training. The joint oversight team also reviewed NCTC’s systems processes for ingesting and purging Section 702-acquired information, as well as NCTC’s ability to conduct queries of FBI case files ingested into NCTC systems. When making a query, NCTC users will be reminded via a popup warning that queries must be designed to identify international terrorism information and to minimize review of U.S. person information that does not constitute international terrorism information. If a query yields information that appears to be non-foreign intelligence information but is evidence of a crime, the user is trained to check a notification box designating the information as such and the notification is sent to additional NCTC offices, including NCTC Legal, for review. Based upon its review on May 28, 2013, the joint oversight team assesses that NCTC’s systems for accessing, receiving, and processing minimized Section 702-acquired data comply with the NCTC 702 Minimization Procedures. (U) V. Interagency/Programmatic Oversight (U) Because the implementation and oversight of the Government’s Section 702 authorities is a multi-agency effort, investigations of particular compliance incidents may involve more than one agency. The resolution of particular compliance incidents can provide lessons learned for all agencies. Robust communication among the agencies is required for each to effectively implement its authorities, gather foreign intelligence, and comply with all legal requirements. For these reasons, NSD and ODNI conduct bimonthly meetings with representatives from all agencies implementing Section 702 authorities to discuss and resolve interagency issues affecting compliance with the statute and applicable procedures. 12 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) NSD and ODNI’s programmatic oversight also involves efforts to proactively minimize the number of incidents of noncompliance. For example, NSD and ODNI have required agencies to demonstrate to the joint oversight team new or substantially revised systems involved in Section 702 targeting or minimization prior to implementation. NSD and ODNI personnel also continue to work with the agencies to review, and where appropriate seek modifications of, their targeting and minimization procedures in an effort to enhance the Government’s collection of foreign intelligence information, civil liberties protections, and compliance. (U) VI. Other Compliance Efforts (U) B. Training (U) In addition to specific instructions to personnel directly involved in the incidents of noncompliance discussed in Section 4, the agencies and the joint oversight team have also been engaged in broader training efforts to ensure compliance with the targeting and minimization procedures. For example, during this reporting period NSA updated its compliance training course and consolidated its online training materials. CIA continues to provide regular FISA training at least twice a year to all of the attorneys it embeds with CIA operational personnel. Additionally, in 2013, CIA began a training program to provide hands-on experience with handling and minimizing raw Section 702-acquired data. FBI, in conjunction with its broader roll-out of its formal Section 702 nomination program, has continued to follow-up on its substantially expanded training program that occurred during the last reporting period. After consultation with NSD and ODNI, FBI implemented, during the last reporting period, an online training program regarding nominations and other requirements; FBI already had an online training regarding compliance with its Section 702 minimization procedures. NSD and FBI have also continued to conduct numerous in-person trainings at FBI field offices. 14 15 13 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) C. NSA’s Office of Inspector General Report Regarding Section 702 (U) NSA’s Office of Inspector General (OIG) issued a report titled “Assessment of Management Controls Over FAA § 702” in November 2012 and revised and reissued this report in March 2013 (hereinafter, NSA OIG Report). The NSA OIG Report stated that NSA OIG did not identify areas of non-compliance with the targeting and minimization procedures, but the NSA OIG Report did identify several issues, some of which were resolved in the course of OIG’s review as well as others that required further action by NSA. (S//NF) The NSA OIG report made two findings which were resolved during the course of the OIG’s review. First, NSA OIG discovered that NSA’s issue was resolved the joint oversight team found only incidents during this reporting period in which such a scenario occurred. These incidents did not involve United States persons and were reported as compliance incidents. (S//NF) Second, NSA OIG noted that as originally designed, automated notices sent to analysts to remind them when they had not reviewed Section 702-acquired data from electronic communications accounts for the previous thirty days (U//FOUO) The NSA OIG Report also offered recommendations for improvements in six areas which had yet to be fully implemented by NSA as of the completion of the NSA OIG Report. The areas for improvement, as well as NSA, NSD, and ODNI’s additional efforts regarding these areas for improvement after NSA OIG issued its report, are as follows: x (S//NF) Performance standards and metrics and compliance enforcement measures. NSA OIG assessed that NSA could more fully develop its measures for evaluating compliance. The NSA OIG Report recommended that NSA establish annual evaluation performance objectives and proficiency levels for targeting analysts and personnel that adjudicate targeting requests (i.e., adjudicators). NSA reported to the joint oversight team that, in response to this recommendation, in the summer of NSA implemented required training for all analysts and adjudicators to increase proficiency in compliance with its targeting process. Second, the NSA OIG Report recommended that NSA develop metrics to measure individual targeting analysts and 14 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN adjudicators compliance with Section 702 targeting and minimization procedures and to support analysis of trends indicative of changes needed in training or guidance. NSA reported to DOJ and ODNI that, prior to the end of , NSA developed metrics that rate target analysts and adjudicators on their compliance with the targeting procedures. Results from both NSA’s internal reviews and NSD and ODNI’s joint reviews are shared with management and will be used to evaluate individual performance and, if necessary, underperformance will result in retraining or termination of access to Section 702-acquired data. x (TS//SI//NF) Various Oversight Requirements. NSA’s targeting procedures and internal policy place several requirements on NSA for conducting internal oversight. The NSA OIG Report found NSA in compliance with the requirements of the targeting procedures, but suggested several minor improvements in NSA’s internal oversight processes, to include: (a) expanding internal reviews of disseminated reports for compliance with special documentation requirements required by NSA’s minimization procedures when reports rely upon certain Internet transactions, and (b) enhanced oversight over those who in turn audit analysts’ queries of acquired data. With respect to the expanded internal reviews of disseminated reports, NSA implemented NSA OIG’s recommendation as of (pertaining to Multiple Communication Transactions (MCT)) and (pertaining to the ). With respect to queries, NSD and ODNI confirmed that NSA had previously conducted super-audits of those who audit queries against repositories containing unminimized Section 702-acquired information, but NSA reported those super-audits had been infrequent and ad hoc prior to . NSA began standardizing its super-audit process in , and has continued to modify and improve its super-auditing processes since that time. In addition and relatedly, in , after briefing the joint oversight team, NSA implemented It should be noted both that NSA’s efforts to review queries are not limited to Section 702 authorities and that, at this time, 16 (TS//SI//NF) As of NSA has advised that is has not completed its efforts to reconcile tasked facilities with providers who facilitate Section 702 upstream collection or telephony collection. 15 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN content queries are not specifically identified as containing United States person identifiers. As such, and as the Government previously represented to Congress, NSD and ODNI cannot at this time directly monitor content queries using United States person identifiers because these records are not kept in a centrally located repository. While the changes described above in NSA’s super audit process have not changed this status, NSA is exploring whether future queries using United States person identifiers could be identified and centralized. In the meantime, and in accordance with NSA’s minimization procedures, NSD and ODNI review NSA’s approval of any United States person identifiers used to query unminimized Section 702acquired communications. x (U//FOUO) Authoritative Guidance. The NSA OIG Report found that NSA’s authoritative guidance was outdated, conflicting, or difficult for analysts to find. NSA OIG recommended that NSA organize and consolidate guidance, coordinate changes in guidance with required training, and establish a single standard operating procedure for adjudication of Section 702 requests. As is discussed in the Training subsection above, during this reporting period NSA substantially revised its training program. NSD and ODNI provided input regarding the revised training. NSA significantly consolidated and revised its guidance in and NSA further reports that its guidance continues to be updated on an as needed basis. x (S//SI//NF) Increased Automation of Processes Supporting Section 702 to Ensure Compliance and Reduce Errors. The NSA OIG Report also made several recommendations regarding processes it believed could be more fully automated in a manner that would enhance compliance. First, the NSA OIG Report recommended NSA increase automation of the purge process, which is discussed in detail in the Section 707 report. The joint oversight team assesses that the lack of automation in aspects of the purge process has resulted in information not being completely purged from NSA systems. For example, NSA reported to the joint oversight team that one NSA internal review found that of objects placed on NSA’s Master Purge List, between , approximately records had not been fully purged from certain NSA systems. NSA further reported to the joint oversight team that while it continues to implement short-term improvements in the purge process, NSA has not as of implemented the fully automated process proposed by the NSA OIG Report. The joint oversight team will continue to work with NSA to improve its purge processes. Second, the NSA OIG Report found that NSA’s existing access control systems were designed to ensure that new users had the required training before access to systems containing unminimized Section 702acquired data is granted, but did not automatically block access if follow-up trainings are not completed. NSA reported to NSD and ODNI, however, that manual processes to remove access to such data when trainings are not completed have always existed. Third, the NSA OIG Report recommended NSA improve its automated system designed to ensure that collection is reviewed by ensuring that as of Finally, the NSA OIG Report recommended that this automated 16 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN system for ensuring content is reviewed be expanded to data NSA reported to NSD and ODNI that such an automated capability NSA’s internal operating procedures require, and NSA’s training reinforces, that all Section 702 tasked facilities must be reviewed and revalidated to ensure that the facility is still associated with the intended target and that the target is still reasonably believed to be located outside the United States. The joint oversight team reviews all instances where a target is later found to be in the United States and reports instances where content has not been reviewed for more than a year to the FISC. x (U) Training. The NSA OIG Report found that NSA had “significantly improved training content,” but recommended that NSA’s Section 702 training could be enhanced with additional training on compliance incidents, reporting requirements, query requirements, sharing Section 702-derived information, and the reasonable belief standard. As is discussed above, NSA during this reporting period NSA revised its training, which it coordinated with NSD and ODNI prior to implementation. The joint oversight team assesses that NSA’s revised training incorporates NSA OIG’s recommendations. (U) SECTION 3: TRENDS IN SECTION 702 TARGETING AND MINIMIZATION (U) In conducting the above-described oversight program, NSD, ODNI, and the agencies have collected a substantial amount of data regarding the implementation of Section 702. In this section, a comprehensive collection of this data has been compiled in order to identify overall trends in the agencies targeting, minimization, and compliance. (U) I. Trends in NSA Targeting and Minimization (TS//SI//NF) NSA reports that, on average, approximately facilities were under collection pursuant to Certifications any given day during the reporting period. This represents a 13.4% increase from the approximately facilities under collection on any given day in the last reporting period. This 13.4% increase is lower, but roughly comparable, to the rates of increase in the prior two reporting periods, which were 18.0% and 17.4%, respectively. As Figure 4 demonstrates, with one exception, the average number of facilities under collection has increased every reporting period 17 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Figure 4: (TS//SI//NF) Average Number of Facilities Under Collection (U) It is anticipated that the average number of tasked facilities will continue to increase. The rate of increase may accelerate now that FBI has made its nomination process more widely available to its field office personnel. (TS//SI//NF) The above statistics describe the average number of facilities under collection at any given time during the reporting period. The total number of newly tasked facilities during the reporting period provides another useful metric.17 NSA provided documentation of new taskings during the reporting period. This represents a 12.4% increase in new taskings from the previous reporting period. 17 (U) The term newly tasked facilities refers to any facility that was added to collection under a certification. This term includes any facility added to collection pursuant to the Section 702 targeting procedures; some of these newly tasked facilities are therefore facilities that had been previously tasked for collection, were detasked, and now have been retasked. 18 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) Figure 5 charts the total monthly numbers of newly tasked facilities since collection pursuant to Section 702 began in September 2008.18 Figure 5: (S) New Taskings by Month (Monthly Average for 2008 through 2011) (U) As the chart demonstrates, the number of newly tasked telephone numbers decreased after 2009, but began to increase again in 2012. (TS//SI//NF) The average number of telephone numbers tasked each month in 2012 was , and average taskings for the first five months of 2013. These average taskings . As has been the case since the program was initiated, the average number of electronic communication accounts has continued to increase. The average number of electronic communications accounts tasked each month in 2012 increase from the prior year. The average number of electronic communication accounts tasked for the first five months of 2013 increase over 2012’s monthly average. (TS//SI//NF) With respect to minimization, for this reporting period NSA identified to NSD and ODNI serialized reports based upon minimized Section 702- or Protect America Act (PAA)-acquired data.19 This represents a 16.0% increase from the such serialized reports 18 (U) For 2008 and 2009, the chart includes taskings under the last Protect America Act of 2007 (PAA) certification, Certification 08-01, which was not replaced by a Section 702(g) certification until early April 2009. 19 (S) In drafting this assessment, it was determined that NSA’s prior reporting of total NSA reports based upon Section 702 or PAA-acquired data for the February and March 2013 period was underinclusive. The figures and chart in this assessment incorporate the corrected numbers. Corrected figures for the February and March 2013 period will also be included in the next Section 707 report. 19 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN NSA identified in the prior reporting period. As demonstrated by Figure 6, which reflects NSA reporting since mid-2010, this increase is consistent with the historical trend of increased reporting based on Section 702- and PAA-acquired data. Figure 6: (S//NF) Total Disseminated NSA Serialized Reports Based Upon Section 702- or PAA-Acquired Data and Number of Such Reports NSA Identified as Containing USP Information (TS//SI//NF) Figure 6 also shows the number of these serialized reports that NSA identified as containing United States person information. During this reporting period, NSA identified serialized reports as containing United States person information derived from Section 702- or PAA-acquired data. NSD and ODNI’s review revealed that in the vast majority of circumstances, the United States person information was at least initially masked.20 The percentage of reports containing United States person information has remained low at 13.2% for this reporting period, an increase from the 10.9% in the prior reporting period but within the same range of percentages of the earlier reporting periods. 20 (U) NSA generally “masks” United States person information by replacing the name or other identifying information of the United States person with a generic term, such as “United States person #1.” Agencies may request that NSA “unmask” the United States person identity. Prior to such unmasking, NSA must determine that the United States person’s identity is necessary to understand the foreign intelligence information. 20 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) II. Trends in FBI Targeting (TS//SI//NF) FBI reports that NSA designated accounts during the reporting period – an average of accounts designated per month. This increase from the accounts designated in the prior six-month reporting period. Of the electronic communications accounts for which Section 702 collection during the reporting period, approximately (TS//SI//NF) FBI approved during the reporting period. requests 21 (S//NF) Although FBI pursuant to Section 702 prior to April 2009, statistics are provided from April 2009 forward as NSD’s practices for tracking facilities designated and approved changed as of this date. The “2009 Average” reflected in the table therefore reflects only the average number of accounts from April through December 2009. 22 21 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Figure 7: (S//NF) Figure 7 shows that the percentage of designated accounts approved has been consistently high. FBI may not approve from a designated account for several reasons, including withdrawal of the request because the potential data to be acquired is no longer of foreign intelligence interest, or because FBI has uncovered information causing NSA and/or FBI to question whether the user or users of the account are nonUnited States persons located outside the United States. Historically, the joint review team notes that for those accounts not approved by FBI only a small portion were rejected on the basis that they were ineligible for Section 702 collection. (S//NF) Prior Joint Assessments provided figures regarding the number of reports FBI had identified as containing minimized Section 702-acquired United States person information. During this reporting period, however, FBI transitioned much of its dissemination from FBI Headquarters to FBI field offices. NSD is conducting oversight reviews of FBI field offices use of these disseminations, but because every field office is not reviewed every six months, NSD no longer has comprehensive numbers on the number of disseminations of United States person information made by FBI. FBI does, however, report comparable information on an annual basis to Congress and the FISC pursuant to 50 U.S.C. §1881a(l)(3)(i). 22 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) III. Trends in CIA Minimization (U) CIA only identifies for NSD and ODNI disseminations of Section 702 data containing United States person information. The following chart compiles the number of such disseminations of reports containing United States person information identified in the last six reporting periods. Figure 8: (S//NF) Disseminations Identified by CIA as Containing Minimized Section 702-Acquired United States Person Information (Excluding Certain Disseminations to NCTC) (S//NF) During this reporting period, CIA identified disseminations of Section 702acquired data containing minimized United States person information. This is a decrease from the such disseminations CIA made in the prior reporting period. and as reported in prior Joint Assessments, CIA also permits some personnel with NSD and ODNI, however, review containing Section 702-acquired data that CIA has identified as potentially containing United States person information to ensure compliance with CIA’s minimization procedures. (S//NF) In addition to disseminations, CIA also tracks the number of files its analysts for broader access and longer-term retention. CIA’s minimization procedures must be applied containing CIA analysts are required to identify any files potentially United States person information. 23 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Figure 9: (S//NF) CIA Files Transferred and Transferred Files Containing Potential United States Person Information (S//NF) For this reporting period, CIA analysts transferred of which were identified by CIA as containing a communication with potential United States person information. This constitutes a increase in the number of files transferred from the previous reporting period when a total of which contained potential United States person information. The percentage of such files containing potential United States person information decreased substantially in this reporting period. 24 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) SECTION 4: COMPLIANCE ASSESSMENT – FINDINGS (U) The joint oversight team finds that during the reporting period, the agencies have continued to implement the procedures and follow the guidelines in a manner that reflects a focused and concerted effort by agency personnel to comply with the requirements of Section 702. The personnel involved in implementing the authorities are appropriately directing their efforts at nonUnited States persons reasonably believed to be located outside the United States for the purpose of acquiring foreign intelligence information. Processes have been put in place to implement these authorities and to impose internal controls for compliance and verification purposes. (U) The compliance incidents during the reporting period represent a very small percentage of the overall collection activity. Based upon a review of the reported compliance incidents, the joint team does not believe that these incidents represent an intentional attempt to circumvent or violate the procedures required by the Act. (U) As noted in prior reports, in the cooperative environment the implementing agencies have established, an action by one agency can result in an incident of noncompliance with another agency’s procedures. It is also important to note that a single incident can have broader implications. (U) The compliance incidents for the reporting period are described in detail in the Section 707 Report, and are analyzed here to determine whether there are patterns or trends that might indicate underlying causes that could be addressed through additional measures, and to assess whether the agency involved has implemented appropriate procedures to prevent recurrences. The joint oversight team continues to assist in the development of such measures. (U) I. Compliance Incidents – General (U) A. Compliance Incident Rate (S//NF) As noted in the Section 707 Report, there were a total of compliance incidents that involved noncompliance with the NSA targeting or minimization procedures; involving noncompliance with the CIA minimization procedures; and involving noncompliance with FBI targeting and minimization procedures; for a total of incidents involving NSA, CIA or FBI procedures.23 Additionally, there was one incident of noncompliance by electronic communication service providers issued a directive pursuant to Section 702(h) of FISA. 23 (U) As is discussed in the Section 707 report and herein, some compliance incidents involve more than one element of the Intelligence Community. Incidents have therefore been grouped not by the agency “at fault,” but instead by the set of procedures with which actions have been noncompliant. 25 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) The following table puts these compliance incidents in the context of the average number of facilities subject to acquisition on any given day24 during the reporting period: Figure 10: (TS//SI//NF) Compliance Incident Rate Compliance incidents during reporting period (December 1, 2012 – May 31, 2013) (including provider incidents) Number of facilities on average subject to acquisition during the reporting period Compliance incident rate as percentage of average facilities subject to acquisition 0.42% (U) The compliance incident rate continues to remain low, well below one percent. The compliance incident rate of 0.42% represents decrease from the 0.49% compliance incident rate in the prior reporting period. (S//NF) The value of statistical information in assessing compliance in situations such as this is unclear. A single incident, for example, may have broad ramifications and may involve multiple selectors. Multiple incidents (e.g. notification delays are, on the whole, less serious than other incidents, but can comprise a significant number of incidents) may increase the incident count, but may be deemed of very limited significance. (U) During this reporting period, however, in 54% of incidents,25 the only incident of noncompliance was the failure to notify NSD and ODNI of certain facts within the timeframe provided in the NSA targeting procedures.26 The median length of these reporting delays is two business days. The oversight team will continue to work with NSA to ensure that notifications are made to NSD and ODNI within the time frame specified in the relevant procedures. A better measure of substantive compliance with the applicable targeting and minimization procedures, 24 (S//NF) The Attorney General’s Section 707 report, which provides details of each incident, specifies the number of facilities affected by each error. 25 26 (S//NF) Specifically, NSA’s targeting procedures require: NSA Targeting Procedures at 26 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN therefore, is to compare the compliance incident rate excluding these notification delays. The following Figure 11 shows this adjusted rate: Figure 11: (U) Compliance Incident Rate (as percentage of average facilities tasked), Not including Notification Delays 1.00% 0.80% 0.60% 0.40% 0.24% 0.20% 0.25% 0.15% 0.20% 0.19% 0.21% 0.15% 0.20% 0.19% 0.00% 2nd 3rd 4th 5th 6th 7th 8th 9th 10th Joint Assessment Period (U) As Figure 11 demonstrates, the adjusted compliance incident rate calculated without the notification delays is 0.19%, which is consistent with low compliance incident rates seen in prior reporting periods. (U) B. Categories of Compliance Incidents (U) Most of the compliance incidents occurring during the reporting period involved noncompliance with the NSA’s targeting or minimization procedures. This largely reflects the centrality of these sets of targeting and minimization procedures in the Government’s implementation of the Section 702 authority. The compliance incidents involving NSA’s targeting or minimization procedures have generally fallen into the following categories: x (U) Tasking Issues. This category involves incidents where noncompliance with the targeting procedures resulted in an error in the initial tasking of the selector. x (U) Detasking Issues. This category involves incidents in which the selector was properly tasked in accordance with the targeting procedures, but errors in the detasking of the selector caused noncompliance with the targeting procedures. x (U) Notification Delays. The category involves incidents in which a selector was properly tasked in accordance with the targeting procedures, but a notification requirement contained in the targeting procedures was not satisfied. 27 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN x (U) Documentation Issues. This category involves incidents where the determination to target a selector was not properly documented as required by the targeting procedures.27 x (U) Overcollection. This category involves incidents in which NSA’s collection systems, in the process of attempting to acquire the communications of properly tasked facilities, also acquired data regarding untasked facilities, resulting in “overcollection.” As noted below, no such overcollection incidents occurred during this reporting period. x (U) Minimization Issues. This category involves NSA’s compliance with its minimization procedures. In some instances, an incident may involve more than one category of noncompliance. (U) These categories are helpful for purposes of reporting and understanding the compliance incidents. The following chart depicts the numbers of compliance incidents in each category that occurred during this reporting period. 27 (U) As described in the Section 707 Report, not all documentation errors have been separately enumerated as compliance incidents. 28 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Figure 12: (S) Compliance Incidents Involving the NSA Targeting and Minimization Procedures (U) As Figure 12 demonstrates, the majority of compliance incidents during the reporting period were notification delays. Tasking and detasking incidents often involve more substantive compliance incidents insofar as they can (but do not always) involve collection involving a selector used by a United States person or an individual located in the United States. (S) When one compares the numbers of these incidents to those presented in the previous Assessment, generally the trends remained similar. The number of notification delays decreased documentation incidents decreased minimization incidents decreased ; and there overcollection or “other” category incidents during this period. The number of tasking incidents remained almost identical with a slight increase . However, of note, the number of detasking incidents increased This report addresses some of the possible reasons for the increase in detasking delays below. (U) The following chart, Figure 13, depicts the compliance incident rates, as compared to the average facilities on task, for tasking and detasking incidents over the previous reporting periods. 29 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Figure 13: (S//NF) Tasking and Detasking Incident Compliance Rates 0.25% 0.20% 0.15% 0.15% 0.13% 0.10% 0.10% 0.09% 0.10% 0.09% 0.08% 0.08% 0.07% 0.07% 0.06% 0.06% 0.05% 0.05% 0.05% 0.05% 0.04% 0.00% 2nd 3rd 4th 5th 6th Tasking 7th 8th 9th 10th Detasking (U) Over the time periods covered in the above chart, the tasking and detasking incident compliance rate has varied by only fractions of a percentage point as compared to the average size of the collection. While tasking errors cover a variety of incidents, ranging from the tasking of an account that the Government should have known was used by a United States person or an individual located in the United States to typographical errors in the initial tasking of the account that affect no United States persons or persons located in the United States, detasking errors more often involve a facility used by a United States person or an individual located in the United States, who may or may not have been the intended target.28 The percentage of compliance incidents involving such detasking incidents has remained consistently low. (S//NF) With respect to the other targeting and minimization procedures, incidents of noncompliance with the FBI’s procedures involved noncompliance with FBI’s targeting procedures. As discussed below, each of these targeting errors resulted from unintentional errors in the targeting process. These FBI targeting incidents occurred in the course of approving 28 30 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN approximately facilities and thus represented of the total number of facilities tasked under FBI’s targeting procedures during this reporting period. Additionally, and as described below, incidents involved CIA’s minimization procedures and one incident involved an error by a communications service provider. (U) II. Review of Compliance Incidents – NSA Targeting and Minimization Procedures (U) The Section 707 Report previously provided to Congress and the Court discussed in detail every incident of non-compliance that occurred during the reporting period. This Joint Assessment takes the broader approach and reports on the trends, patterns, and underlying causes of the compliance incidents reported in the Section 707 Report. The Assessment primarily focuses on incidents involving NSA’s targeting and minimization procedures, the volume and nature of which are better-suited to detecting such patterns and trends. The following subsections examine incidents of non-compliance involving NSA’s targeting and minimization procedures. The first subsection examines compliance incidents that have the greatest potential to impact United States persons’ privacy interests, a particular focus of the joint oversight team. Subsequent subsections discuss incidents caused by intra- and interagency communications (i.e., the ability of the agencies to communicate information between and among themselves in a timely manner to avoid compliance incidents), technical and system errors, and incidents caused by human errors. In addition to the trends, the subsections note whether the compliance incidents increased or decreased compared to the previous Assessment and provide potential causes of the increase or decrease. The joint assessment team believes that analyzing these trends, especially in regards to determining the causes of incidents, help the agencies avoid future incidents and improve overall compliance. (U) A. The Impact of Compliance Incidents on United States Persons (U) A primary concern of the joint assessment team is the impact of certain compliance incidents on United States persons. The Section 707 Report discusses every incident of noncompliance with the targeting and minimization procedures, including any necessary purges resulting from these incidents. Most of these incidents did not involve United States persons, and instead involved matters such as typographical errors in tasking that resulted in no collection, detasking delays with respect to facilities used by non-United States persons who had entered the United States, or notification errors regarding similar detaskings that were not delayed. (U) Several incidents, however, did involve United States persons during the recent reporting period. United States persons were primarily impacted by (1) tasking errors that led to the tasking of facilities used by United States persons, (2) delays in detasking facilities after NSA determined that the user of the facility was a United States person, and (3) non-compliance with the NSA’s minimization procedures involving the unintentional improper dissemination, retention, or querying of Section 702 information. Due to their importance, these incidents are highlighted in this subsection. With regards to incidents arising from tasking errors and delays in detasking facilities concerning United States persons (i.e. categories 1 and 2), either no information was acquired or, in the instances that information was acquired, such information was destroyed and no reporting was generated as a result of the erroneous acquisition. With regards incidents resulting from the unintentional improper dissemination or querying of United States person information (i.e. category 3), the disseminated reports were recalled and the queries, and their corresponding results, were destroyed. As noted above, the Section 707 Report provides further details regarding each 31 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN individual incident and how any erroneously acquired, disseminated, or queried United States person information was handled through various purge, recall, and deletion processes. Furthermore, incidents of overcollection can impact United States persons, but no such incidents occurred during this reporting period. (U) (1) Tasking Errors Impacting United States Persons (S) tasking incidents described in the Section 707 report, where at the time of tasking the Government knew or should have known that one of the users of the selector was a United States person. Similarly, occurred in the prior reporting period. incidents in this reporting period represent isolated instances of insufficient due diligence, as compared with the of proper taskings that occurred during the reporting period and did not involve an intentional effort to target a United States person. However, the joint oversight team would like to see a decrease in such incidents in the future especially given that some of these incidents could have been avoided with a more thorough and diligent examination of the Government’s databases. Following the reporting period, NSA, in coordination with NSD and ODNI, revised its training, including providing clearer guidance to avoid these types of errors. The joint oversight team will continue to work with the agencies to assess ways in which to avoid such mistakes in the future. (S//NF) A review of the facts of the specific incidents demonstrates the underlying causes of these incidents and, in some cases, the opportunities to prevent similar errors in the future. incidents involved targeting analysts not considering the totality of circumstances known to the Government prior to targeting pursuant to Section 702. Specifically, in NSA Incident the targeting analyst did not properly consider information reported to NSA prior to targeting that the facility The need to make targeting decisions based on the totality of circumstances is a core principle of both the Section 702 targeting procedures and each agencies’ training programs. When instances such as these occur, remedial training is often given to ensure analysts understand what additional steps should have been taken to prevent the compliance occurrence. (TS//SI//NF) The incident, NSA Incident , was of a somewhat different nature. In this incident, NSA properly targeted an individual pursuant to its targeting procedures but subsequently was informed that the target was a United States person. The primary analyst who followed the target was out of the office when this information was received. NSA promptly and appropriately detasked from Section 702 acquisition , but the back-up target analyst who detasked was unaware of, and thus did not stop, a pending request to . The pending request was approved and detasked three days later when this error was realized. pending tasking requests are terminated, when required, has been an ongoing challenge that is discussed further below. 32 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (TS//SI//NF) NSA Incident , resulted from both an instance of insufficient due diligence in considering all available pre-tasking information and also constituted an instance of reverse targeting. Reverse targeting occurs when NSA tasks communication facilities used by a non-United States person reasonably located outside the United States for the purpose of acquiring the communications of a United States person or a person located in the United States. Reverse targeting is barred by statute and NSA policy and the prevention of reverse targeting is a key component of both the internal and external review of the Section 702 program. constitutes only the second instance of reverse targeting identified since the FISA Amendments Act was passed in 2008. The NSA analyst’s error occurred because the NSA analyst misunderstood the scope of the Section 702 and Section 705(b) FISA authorities and not because the NSA analyst intentionally attempted to violate Section 702 or NSA policy. no data was acquired as a result of this reverse targeting and the analyst was immediately retrained regarding who may be targeted pursuant to Section 702. Despite the substantial misunderstanding of law that caused this incident, the joint oversight team assesses that the extreme rarity of reverse targeting incidents demonstrates the success of training efforts on this statutory limitation. (U) (2) Delays in De-Tasking Impacting United States Persons (S) The majority of detasking incidents involved non-United States persons who either traveled to the United States, appeared to have traveled to the United States, or involved a non-resolvable unexplained indication of an account appearing to be accessed from within the United States. these detasking delays are confirmed to have involved a United States person. This represents an increase from in the prior reported period. Though still small, the joint oversight team is concerned by rise in the number of detasking incidents involving United States persons, as well as the rise in the overall number of detasking incidents from the last reporting period, where there were a total . (U//FOUO) The joint oversight team is currently working with NSA to evaluate the cause in the rise of these detasking errors, including those involving United States persons, and possible ways to avoid such errors in the future. NSA has already revised its training, and further training efforts and system modifications are being considered. As is discussed in Subsection II.B below, several detasking delays resulted from inter-agency and intra-agency miscommunications. While such miscommunications may not be able to be entirely eliminated, the joint oversight team is 33 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN examining additional training and process improvements that could enhance inter-agency and intraagency communications and hence compliance. (TS//SI//NF) With respect to the other detasking incidents involving United States persons, (NSA Incident resulted from an NSA analyst not timely detasking a telephone facility of a target upon reviewing information from another agency that the individual targeted under Section 702 was a United States person. (U) (3) Non-Compliance with NSA’s Minimization Procedures Impacting United States Persons (S) incidents of non-compliance consisted of violations of NSA’s minimization procedures, as compared to incidents in the prior reporting period. Of particular note, the number of minimization incidents involving queries using United States person identifiers decreased and the number of overly-broad queries also decreased A , involved the inadvertent dissemination of a United States person identity This incident was discovered during one of the bimonthly NSD-ODNI minimization reviews discussed above. The joint oversight team will continue to conduct close oversight of NSA’s dissemination of United States person information and use of United States person identifiers to query data. (TS//SI//NF) The remaining minimization incidents (and, as discussed below, one of the query incidents discussed in the previous paragraph) resulted from system or process errors with potentially broader consequences for United States person information, though in several cases during this reporting period the impact has been more of a potential consequence than observed consequence. these incidents involve implementation errors in NSA technical systems, 34 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN and are described in Subsection II.B below. In NSA Incident partially minimized transcripts of communications acquired pursuant to various FISA authorities, including Section 702, that contained United States person information were retained in a NSA database longer than permitted by NSA’s minimization procedures. Additionally, although currently the database in question is accessible only to personnel trained in minimization procedures and subject to the direction and control of the Director of the NSA, NSA has insufficient information to confirm that this was historically always the case. This incident occurred because this incident shows the need for ongoing analyst training in both the legal requirements and the tools analysts used to achieve compliance. In this case, NSA designed a compliant system and initially trained analysts to use that system in a compliant manner, but insufficient subsequent training on how to properly use this tool caused some target offices’ practice to shift into non-compliance over the course of time. The joint oversight team will continue to work with the agencies to ensure that personnel receive ongoing training that will allow them to comply with the targeting and minimization procedures. (U) B. Intra- and Inter-Agency Communications (U) (1) Intra-Agency Communications (U) The joint oversight team assesses that intra-agency communication and coordination has continued to improve, thereby enhancing compliance. Historically, many detasking delays resulted from a lack of intra-agency communication and coordination in the detasking of facilities used by non-United States persons who traveled to the United States, especially in instances where the non-United States persons used multiple tasked accounts. While, as noted below, the joint oversight team believes there are specific improvements that could further decrease the number of detasking delays in multiple account detasking situations, a very small number of intra-agency miscommunication directly resulted in a detasking delay during this period.29 The joint oversight team commends the agencies for their improved performance in this area. (TS//SI//NF) Apart from miscommunications, detasking delays occurred because the Government determined that a non-United States person target had entered the United States, but not all Section 702-tasked facilities used by that target were promptly detasked.30 Some of these errors were the result of human errors, but others resulted from 29 30 (U) See infra footnote 34. 35 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN The joint assessment team believes that such incidents could be reduced in the future through better intra-agency communication and coordination among the different NSA analysts responsible for the targets. (U) (2) Inter-Agency Communications (U) As noted in the prior Assessments, communications between and among the different agencies have continued to improve, which enhances compliance. While communications issues continue to arise in the context of compliance incidents, the joint oversight team assesses that these issues accounted for only a handful of compliance incidents during this reporting period. (U) The joint oversight team has found that the agencies have established internal and external procedures to communicate information concerning a Section 702 user’s travel to the United States or a change in the assessment of their citizenship status. The joint oversight team believes that agencies should continue their training efforts to ensure that these established protocols continue to be utilized. The joint oversight team will continue to work with NSA, CIA and FBI to ensure that the agencies continue to develop and improve efficient and effective channels of communication. (U) C. Effect of Technical Issues (U) There were few compliance incidents resulting from technical issues during this reporting period, but technical issues can have larger implications than other incidents because they often involve more than one selector. As such, all agencies involved in the Section 702 program devote substantial resources towards the prevention, identification, and remedy of technical issues. Collection equipment and other related systems undergo substantial testing prior to deployment. The agencies also employ a variety of monitoring programs to detect anomalies in order to prevent or limit the effect of technical issues on acquisition. Members of the joint oversight team 36 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN participate in technical briefings at the various agencies to better understand how technical system development and modifications affect the collection and processing of information. As a result of these efforts, potential issues have been identified, the resolution of which prevented compliance incidents from happening and ensured the continued flow of foreign intelligence information to the agencies. The joint oversight team believes that the lack of any overcollection incidents during this reporting period resulted from the efforts of all of the involved agencies. (TS//SI//NF) Several technical issues, however, did occur during this reporting period. For example, involved the unintentional dissemination acquired pursuant to FISA authorities, including Section 702, without an evaluation of whether contained United States person information ) or whether the United States person information ) constituted foreign intelligence information. While NSA policy prohibited the automated dissemination of unevaluated FISA-acquired information, this policy was not properly implemented because those who were not advised of the legal requirements. NSA has since revised its policy to require NSA Office of General Counsel approval The team notes the importance of the NSA Office of General Counsel and the joint oversight team being involved in the process of adopting such policies so that all oversight concerns can be fully addressed before the implementation of new programs. 31 37 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) Each of the technical issues discussed in this subsection were discovered by agency personnel and each demonstrates the importance of the agencies continually monitoring their collection for abnormalities, particularly following configuration and other software changes made to collection and other related systems. The compliance incidents discussed in this subsection also highlight the complexity of the technical systems used to conduct Section 702 acquisition, as well as the rapid pace of change in communications architecture, that can result in technical and systemrelated incidents. The joint oversight team assesses that agencies’ regular monitoring of relevant systems processing Section 702-acquired information has led to fewer technical tasking and detasking errors and the quicker identification and resolution of system errors that do occur. (U) D. Effect of Human Errors (U) As reported in previous Assessments, human errors have often caused many of the compliance incidents. Some of these errors are isolated events that do not lend themselves to categorization or development of standard processes. For example, there were instances of typographical errors or similar errors that occurred when NSA was entering the selector name into the collection system or at some earlier time in the targeting process.33 The joint oversight team assesses that the overall rate of these types of errors is low reflecting the great care analysts use to enter information and the effectiveness of the NSA pre-tasking review process in catching potential errors. (U) Other errors, however, present patterns that could be addressed with new training, procedures or system modification reminders. As was the case in the last several reporting periods, one of the most common errors in this reporting period involved situations where a target who used multiple facilities tasked to Section 702 or Executive Order 12333 collection was discovered to be in, or known to be traveling to, the United States, and some of the Section 702 facilities were missed in the detasking process.34 Most of these detasking delays were quickly identified and remedied. However, the joint team remains concerned that these types of detasking delays involving multiple facilities continue to happen with consistent frequency. (U//FOUO) Ensuring that facilities are detasked when a target enters the United States requires not only that analysts be attentive, but also that they have access to accurate and up-to-date tasking records 32 33 34 38 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN tasked for a particular target, The joint oversight team assesses that this linkage problem needs to be addressed to prevent future situations where some of a target’s selectors are not promptly detasked, as required by the NSA targeting procedures. This is also one of the many instances in which good compliance practice is also good intelligence practice – ensuring that NSA has up-to-date, accessible, and accurate corporate records of all of the known communication facilities used by the targets of its acquisitions will also facilitate the analysis and production of foreign intelligence information. NSA has reported that it is examining how NSA targeting databases can be better used to centralize knowledge regarding all of a target’s known facilities, which could have prevented some of the detasking delays. As noted in the previous Joint Assessment, the joint oversight team assesses that improved linkage among the various NSA databases should continue to be given high priority despite the challenges in improving this area. The joint oversight team notes that NSA has continued to work on improving linkages during the last reporting session, but the number of compliance incidents that still occur demonstrates that this remains a persistent challenge. (S//NF) Another persistent but correctable error involves analysts choosing the wrong detasking reason in NSA systems when a target is discovered to be located in the United States or is found to have United States person status. If analysts discover either of these situations, they are instructed to emergency detask the facility, which results in an immediate detasking of the facility. NSA’s system also permits analysts to detask facilities in a non-emergency manner, which can result in an additional day of acquisition, if for example the analyst merely has lost foreign intelligence interest in the target. (S//NF) Separately, a continued focus on training could also help prevent some of the incidents in this reporting period attributable to misunderstandings of law or procedures/protocols. Subsection 2.A above describes a reverse targeting incident, which was the most substantial misunderstanding of law during this reporting period. Training at NSA, CIA, and FBI all focus on the need to convey information indicating that a Section 702 target is in the United States, the protocols to convey that knowledge, and the requirement in the agencies’ respective targeting and minimization procedures to act promptly upon discovering such information. The joint oversight team assesses that all agencies should continue to focus training on these protocols and requirements. 35 39 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (S//NF) A small number of human errors involved issue is a familiar one at NSA, and the joint team has seen a sharp decline in such incidents over time as a result of measures taken by NSA to address it. (U) III. Review of Compliance Incidents – CIA Minimization Procedures (U) During this reporting period, there were the CIA minimization procedures. incidents involving noncompliance with (S//NF) were the result of disseminating Section 702-acquired information without the required FISA caveat or warning. Pursuant to 50 U.S.C. § 1806(b), “[n]o information acquired pursuant to this title shall be disclosed for law enforcement purposes unless such disclosure is accompanied by a statement that such information, or any information derived therefrom, may only be used in a criminal proceeding with the advance authorization of the Attorney General.” This statement is generally referred to as the “FISA caveat.” 40 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) IV. Review of Compliance Incidents – FBI Targeting and Minimization Procedures (U) There were a minimal number of incidents involving noncompliance with the FBI targeting and minimization procedures in this reporting period. As a percentage of FBI’s targeting actions during the reporting period, the overall compliance incident rate during this reporting period was 0.03%. (S//NF) during this reporting period concerned errors in the processing of requests for for accounts, where FBI did not properly complete a required by FBI’s targeting procedures. In each case, the required and in none of these cases was anything discovered that undermined FBI’s targeting determination that the target was a non-United States person reasonably believed to be located outside the United States. (S//NF) Although incidents involve only FBI authorized during this reporting personnel, FBI personnel have been reminded of the importance of properly completing the required and the other FBI personnel have been reminded to follow Section 702 Minimization Procedures and to follow FBI’s targeting procedures. The joint oversight team believes the protocols and training 41 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN developed by FBI’s Exploitation/Threat Section will continue to ensure that this error rate remains low. (U) V. Review of Compliance Incidents – Provider Errors (U) During this reporting period, there was one incident of noncompliance by an electronic communication service provider with a Section 702(h) directive. This incident involved an overproduction of data. The communication was purged from Government systems. (U) As was the case of overproduction incidents discussed in the previous Assessment, this incident was identified by agency personnel, either through automated systems or by agents and analysts properly reporting within their agencies that the acquired data did not correspond with the authorized scope of collection. The joint oversight team believes that this demonstrates a success in training and collection monitoring programs, and encourages the agencies to maintain their vigilance in identifying possible overproductions. The joint oversight team also assesses that the overall number of overproductions during this reporting period, and over the course of the entire Section 702 program, has been relatively small. NSD and ODNI assess that this is due to the resources and efforts all involved parties have devoted to ensuring that providers are producing only authorized data. NSD and ODNI will continue to assist the agencies in these efforts as collection activities expand and evolve. (U) SECTION 5: CONCLUSION (U) During the reporting period, the joint team found that the agencies have continued to implement the procedures and to follow the guidelines in a manner that reflects a focused and concerted effort by agency personnel to comply with the requirements of Section 702. As in previous reporting periods, the joint oversight team has identified no indications of any intentional or willful attempts to violate or circumvent the requirements of the Act in the compliance incidents assessed herein. Although the number of compliance incidents continued to remain small, particularly when compared with the total amount of collection activity, a continued focus is needed to address underlying causes of the incidents which did occur, including maintaining close monitoring of collection activities and a continued focus on personnel training. The joint oversight team will continue to monitor the efficacy of measures to address the causes of compliance incidents during the next reporting period. 42 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN APPENDIX A A-1 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN APPENDIX A (U) IMPLEMENTATION OF SECTION 702 AUTHORITIES - OVERVIEW (U) I. Overview - NSA (U) The National Security Agency (NSA) seeks to acquire foreign intelligence information concerning specific targets under each Section 702 certification from or with the assistance of electronic communication service providers, as defined in Section 701(b)(4) of the Foreign Intelligence Surveillance Act of 1978, as amended (FISA).1 As required by Section 702, those targets must be non-United States persons2 reasonably believed to be located outside the United States. (TS//SI//NF) During this reporting period, NSA conducted foreign intelligence analysis to identify targets of foreign intelligence interest that fell within one of the following certifications: (U) As affirmed in affidavits filed with the Foreign Intelligence Surveillance Court (FISC), NSA believes that the non-United States persons reasonably believed to be outside the United States 1 (U) Specifically, Section 701(b)(4) provides: The term ‘electronic communication service provider’ means -- (A) a telecommunications carrier, as that term is defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153); (B) a provider of electronic communication service, as that term is defined in section 2510 of title 18, United States Code; (C) a provider of a remote computing service, as that term is defined in section 2711 of title 18, United States Code; (D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or (E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), or (D). 2 (U) Section 101(i) of FISA defines “United States person” as follows: a citizen of the United States, an alien lawfully admitted for permanent residence (as defined in section101(a)(20) of the Immigration and Nationality Act [8 U.S.C. § 1101(a)(20)]), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in subsection (a)(1), (2), or (3). 3 4 A-2 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN who are targeted under these certifications will either possess foreign intelligence information about the persons, groups, or entities covered by the certifications or are likely to communicate foreign intelligence information concerning these persons, groups, or entities. This requirement is reinforced by the Attorney General’s Acquisition Guidelines, which provide that an individual may not be targeted unless a significant purpose of the targeting is to acquire foreign intelligence information that the person possesses, is reasonably expected to receive, and/or is likely to communicate. (U) Under the Section 702 targeting process, NSA targets persons by tasking facilities used by those persons to communicate foreign intelligence information. A selector is a specific communications identifier or facility tasked to acquire information that is to, from, or about a target. A “selector” could be a telephone number or an identifier related to a form of electronic communication, such as an e-mail address.5 In order to acquire foreign intelligence information from or with the assistance of an electronic communication service provider, NSA uses as a starting point a selector to acquire the relevant communications, and, after applying the targeting procedures (further discussed below) and other internal reviews and approvals, “tasks” that selector in the relevant tasking system. The facilities are in turn provided to electronic communication service providers who have been served with the required directives under the certifications. (S//SI//NF) Once information is collected from these tasked facilities, it is subject to FISCapproved minimization procedures. NSA’s minimization procedures set forth specific measures NSA must take when it acquires, retains, and/or disseminates non-publicly available information about United States persons. All collection of Section 702 information is initially routed to NSA. However, the NSA’s minimization procedures also permit the provision of unminimized communications to the Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI) relating to targets identified by these agencies that have been the subject of NSA acquisition under the certifications. The unminimized communications sent to CIA and FBI, in accordance with NSA’s minimization procedures, must in turn be processed by CIA and FBI in accordance with their respective FISC-approved Section 702 minimization procedures.6 (U) NSA’s targeting procedures address, among other subjects, the manner in which NSA will determine that a person targeted under Section 702 is a non-United States person reasonably believed to be located outside the United States, the post-targeting analysis conducted on the facilities, and the documentation required. 5 6 (S//NF) As noted in the Section 707 Report, with respect to and ongoing acquisitions from certain electronic communication service providers A-3 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) A. Pre-Tasking Location (U) 1. Telephone Numbers (S//SI//NF) For telephone numbers, NSA analysts may (U) 2. Electronic Communications Identifiers (S//SI//NF) For electronic communications identifiers, NSA analysts may 7 8 (S//NF) Analysts also check this system as part of the “post-targeting” analysis described below. 9 A-4 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) B. Pre-Tasking Determination of United States Person Status (U) C. Post-Tasking Checks (S//SI//REL TO USA, FVEY) NSA also requires that tasking analysts review information collected from the facilities they have tasked. With respect to NSA’s review of ,11 a notification e-mail is sent to the tasking team upon initial collection for the selector. NSA analysts are expected to review this collection within five business days to confirm that the user of the selector is the intended target, that the target remains appropriate to the certification cited, and that the target remains outside the United States. Analysts are then responsible to review traffic on an on-going basis to ensure that the selector remains appropriate under the authority. 10 11 (S) Prior Joint Assessments have stated that the automated notification and review process described in this paragraph applied to all Section 702 acquisition. The past Joint Assessment stated that NSA and ODNI were looking into this issue, and in June 2013 NSA reported that its automated notification system to ensure targeters have reviewed collection is currently implemented only for , not . NSA is currently attempting to develop a similar system for A-5 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Should traffic not be viewed in at least once every 30 days, a notice is sent to the tasking team, as well as to their management, who then have the responsibility to follow up. (U) D. Documentation (S//NF) The procedures provide that analysts will document in the tasking database a citation to the information leading them to reasonably believe that a targeted person is located outside the United States. The citation is a reference that includes the source of the information, enabling oversight personnel to locate and review the information that led the analyst to his/her reasonable belief. Analysts must also identify the foreign power or foreign territory about which they expect the proposed targeting will obtain foreign intelligence information. (S//SI//NF) NSA has existing database tool, for use by its analysts for Section 702 tasking and documentation purposes. to assist analysts as they conduct their work. This tool has been modified over time to accommodate the requirements of Section 702, to include, for example, certain fields and features for targeting, documentation, and oversight purposes. Accordingly, the tool allows analysts to document the required citation to NSA records on which NSA relied to form the reasonable belief that the target was located outside the United States. The tool has fields for the certification under which the target falls, and for the foreign power as to which the analyst expects to collect foreign intelligence information. Analysts fill out various fields each selector, as appropriate, including the citation to the information on which the analyst relied in making the foreignness determination. (S//SI//NF) NSA also includes the targeting rationale (TAR) in the tasking record, which requires the targeting analyst to briefly state why targeting for a particular selector was requested. The intent of the TAR is to memorialize why the analyst is requesting targeting, and provides a linkage between the user of the selector and the foreign intelligence purpose covered by the certification under which it is being tasked. The joint oversight team assesses that the TAR has improved the oversight team’s ability to understand NSA’s foreign intelligence purpose in tasking facilities. (S//NF) Entries are reviewed before a tasking can be finalized. Records from this tool are maintained and compiled for oversight purposes. For each selector, a record can be compiled and printed showing certain relevant fields, such as: the selector, the certification, the citation to the record or records relied upon by the analyst, , the analyst’s foreignness explanation, the targeting rationale, These records, referred to as “tasking sheets,” are reviewed by the Department of Justice’s National Security Division (NSD) and the Office of the Director of National Intelligence (ODNI) as part of the oversight process. A-6 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (S//NF) The source records cited on these tasking sheets are contained in a variety of NSA data repositories. These records are maintained by NSA and, when requested by the joint team, are produced to verify determinations recorded on the selector sheets. Other source records may consist of “lead information” from other agencies, such as disseminated intelligence reports or lead information (U) F. Internal Procedures (U) NSA has instituted internal training programs, access control procedures, standard operating procedures, compliance incident reporting measures, and similar processes to implement the requirements of the targeting procedures. Only analysts who have received certain types of training and authorizations are provided access to the Section 702 program data. These analysts must complete an NSA Office of General Counsel (OGC) and Signals Intelligence Directorate (SID) Oversight and Compliance training program; review the targeting and minimization procedures as well as other documents filed with the certifications; and must pass a competency test. The databases NSA analysts use are subject to audit and review by SID Oversight and Compliance. For guidance, analysts consult standard operating procedures, supervisors, SID Oversight and Compliance personnel, NSA OGC attorneys, and the NSA Office of the Director of Compliance. (U) NSA’s targeting and minimization procedures require NSA to report to NSD and ODNI any incidents of non-compliance with the procedures by NSA personnel that result in the intentional targeting of a person reasonably believed to be located in the United States, the intentional targeting of a United States person, or the intentional acquisition of any communication in which the sender and all intended recipients are known at the time of acquisition to be located within the United States, with a requirement to purge from NSA’s records any resulting collection. NSA must also report any incidents of non-compliance, including overcollection, by any electronic communication service provider issued a directive under Section 702. Additionally, if NSA learns, after targeting a person reasonably believed to be outside the United States, that the person is inside the United States, or if NSA learns that a person who NSA reasonably believed was a non-United States person is in fact a United States person, NSA must terminate the acquisition, and treat any acquired communications in accordance with its minimization procedures. In each of the above situations, NSA’s Section 702 procedures during this reporting period required NSA to report the incident to NSD and ODNI within the time specified in the applicable targeting procedures (five business days) of learning of the incident. A-7 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) The NSA targeting and minimization procedures require NSA to conduct oversight activities and make any necessary reports, including those relating to incidents of non-compliance, to the NSA Office of the Inspector General (NSA OIG) and NSA’s OGC. SID Oversight and Compliance conducts spot checks of targeting decisions and disseminations to ensure compliance with procedures. SID also maintains and updates an NSA internal website regarding the implementation of, and compliance with, the Section 702 authorities. (U) NSA has established standard operating procedures for incident tracking and reporting to NSD and ODNI. The SID Oversight and Compliance office works with analysts at NSA, and with CIA and FBI points of contact as necessary, to compile incident reports which are forwarded to both the NSA OGC and NSA OIG. NSA OGC then forwards the incidents to NSD and ODNI. (U) On a more programmatic level, under the guidance and direction of the Office of the Director of Compliance (ODOC), NSA has implemented and maintains a Comprehensive Mission Compliance Program (CMCP) designed to effect verifiable conformance with the laws and policies that afford privacy protection to United States persons during NSA missions. ODOC complements and reinforces the intelligence oversight program of NSA OIG and oversight responsibilities of NSA OGC. (U) A key component of the CMCP, is an effort to manage, organize, and maintain the authorities, policies, and compliance requirements that govern NSA mission activities. This effort, known as “Rules Management,” focuses on two key components: (1) the processes necessary to better govern, maintain, and understand the authorities granted to NSA and (2) technological solutions to support (and simplify) Rules Management activities. ODOC also coordinated NSA’s use of the Verification of Accuracy (VoA) process originally developed for other FISA programs to provide an increased level of confidence that factual representations to the FISC or other external decision makers are accurate and based on an ongoing, shared understanding among operational, technical, legal, policy and compliance officials within NSA. NSA has also developed a Verification of Interpretation (VoI) review to help ensure that NSA and its external overseers have a shared understanding of key terms in Court orders, minimization procedures, and other documents that govern NSA’s FISA activities. ODOC has also developed a risk assessment process to assess the potential risk of non-compliance with the rules designed to protect United States person privacy. The assessment is conducted and reported to the NSA Deputy Director and NSA Senior Leadership Team bi-annually. (U) II. Overview - CIA (S//NF) A. CIA’s Role in Targeting (S//NF) Although CIA does not target or acquire communications pursuant to Section 702, CIA has put in place a process, in consultation with NSA, FBI, NSD, and ODNI, to identify foreign intelligence targets to NSA (hereinafter referred to as the “CIA nomination process”). Based on its foreign intelligence analysis, CIA may “nominate” a selector to NSA for potential acquisition under one of the Section 702(g) certifications. A-8 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN Nominations are reviewed and approved by a targeting officer’s first line manager, a component legal officer, a senior operational manager and the FISA Program Office prior to export to NSA for tasking. (S//NF) The FISA Program Office was established in December 2010 and is charged with providing strategic direction for the management and oversight of CIA’s FISA collection programs, including the retention and dissemination of foreign intelligence information acquired pursuant to Section 702. This group is responsible for overall strategic direction and policy, with program external focus and interaction with counterparts of NSD, ODNI, NSA and FBI. In addition, the office leads the day-to-day FISA compliance efforts The primary responsibilities of the FISA Program Office are to provide strategic direction for data handling and management of FISA/702 data, as well as to ensure that all Section 702 collection is properly tasked and that CIA is complying with all compliance and purge requirements. 12 A-9 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (U) B. Oversight and Compliance (U) CIA’s compliance program is coordinated by its FISA Program Office and CIA’s Office of General Counsel (CIA OGC). CIA provides small group training to analysts who nominate accounts to NSA and/or minimize Section 702-acquired communications. Access to unminimized Section 702-acquired communications is limited to trained analysts. CIA attorneys embedded with operational elements that have access to unminimized Section 702-acquired information also respond to inquiries regarding nomination and minimization questions. Identified incidents of noncompliance with the CIA minimization procedures are reported to NSD and ODNI by CIA OGC. (U) III. Overview - FBI (U) A. FBI’s Role in Targeting -- Nomination for Acquiring In-Transit Communications (S//NF) Like CIA, FBI has developed a formal nomination process to intelligence targets to NSA for the acquisition of in-transit communications. including information underlying the basis for the foreignness determination and the foreign intelligence interest. FBI nominations are reviewed by FBI operational and legal personnel prior to export to NSA for tasking The FBI targeting procedures require that NSA first apply its own targeting procedures to determine that the user of the Designated Account is a person reasonably believed to be outside the United States and is not a United States person. NSA is also responsible for determining that a significant purpose of the acquisition it requests is to obtain foreign intelligence information. After NSA designates accounts as being appropriate FBI must then apply its own, additional procedures, which require FBI to review NSA’s conclusion of foreignness A-10 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (S//NF) More specifically, after FBI obtains the tasking sheet from NSA, it reviews the information provided by NSA regarding the location of the person and the non-United States person status of the person. (S//NF) Unless FBI locates information indicating that the user is a United States person or is located inside the United States, FBI will A-11 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (S//NF) If FBI identifies information indicating that NSA’s determination that the target is a non-United States person reasonably believed to be outside the United States may be incorrect, FBI provides this information to NSA and does not approv (U) C. Documentation (S//NF) The targeting procedures require that FBI retain the information in accordance with its records retention policies FBI uses a multi-page checklist for each Designated Account to record the results of its targeting process, as laid out in its standard operating procedures, commencing with , extending through , and culminating in approval or disapproval of the acquisition. In addition, the FBI standard operating procedures call for depending on the circumstances, which are maintained by FBI with the applicable checklist. FBI also retains with each checklist any relevant communications regarding its review of the information. Additional checklists have been created to capture information on requests withdrawn , or not approved by FBI. (U) D. Implementation, Oversight and Compliance (S//NF) FBI’s implementation and compliance activities are overseen by FBI’s Office of General Counsel (FBI OGC), particularly the National Security Law Branch (NSLB), as well as FBI’s Exploitation Threat Section (XTS), FBI’s and FBI’s Inspection Division (INSD). XTS has the lead responsibility in FBI for requests . XTS personnel are trained on the FBI targeting procedures standard operating procedures that govern its processing of requests for XTS also has the lead responsibility for facilitating FBI’s nomination communications. XTS, NSLB, NSD, and ODNI have all worked on training FBI personnel to ensure that FBI nominations and post-tasking review comply with the NSA targeting procedures. Numerous such trainings were provided during the current reporting period. With respect to minimization, FBI has created a mandatory online training that all FBI agents and analysts must complete prior to gaining access to unminimized Section 702-acquired data in the FBI’s A-12 TOP SECRET//HCS/SI//ORCON/NOFORN Approved for public release by the ODNI 20160719 TOP SECRET//HCS/SI//ORCON/NOFORN (S//NF) The FBI’s targeting procedures require periodic reviews by NSD and ODNI, at least once every 60 days. FBI must also report incidents of non-compliance with the FBI targeting procedures to NSD and ODNI within five business days of learning of the incident. XTS and NSLB are the lead FBI elements in ensuring that NSD and ODNI received all appropriate information with regard to these two requirements. (U) IV. Overview - Minimization (U) Once a selector has been tasked for collection, non-publicly available information collected as a result of these taskings that concerns United States persons must be minimized. The FISC-approved minimization procedures require such minimization in the acquisition, retention, and dissemination of foreign intelligence information. As a general matter, minimization procedures under Section 702 are similar in most respects to minimization under other FISA orders. For example, the Section 702 minimization procedures, like those under certain other FISA court orders, allow for sharing of certain unminimized Section 702 information among NSA, FBI, and CIA. Similarly, the procedures for each agency require special handling of intercepted communications that are between attorneys and clients, as well as foreign intelligence information concerning United States persons that is disseminated to foreign governments. (U) The minimization procedures do, however, impose additional obligations or restrictions as compared to minimization procedures associated with authorities granted under Titles I and III of FISA. For example, the Section 702 minimization procedures require, with limited exceptions, the purge of any communications acquired through the targeting of a person who at the time of targeting was reasonably believed to be a non-United States person located outside the United States, but is in fact located inside the United States at the time the communication is acquired, or was in fact a United States person at the time of targeting. (U) NSA, CIA, and FBI have created systems to track the purging of information from their systems. CIA and FBI receive incident notifications from NSA to document when NSA has identified Section 702 information that NSA is required to purge according to its procedures, so that CIA and FBI can meet their respective obligations. A-13 TOP SECRET//HCS/SI//ORCON/NOFORN