Doc ID: 6672881 IOP 31!:CltTi?~Yf'IOP( NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE OFFICE OF THE INSPECTOR GENERAL 22 March 2019 TO: DISTRIBUTION Report on the Revie\v of the National Security Agency/Central Security SUBJECT: (U/F-O~ Service's Deletion ofCe1tain USA FREEDOrvl Act Data (ST-18-0008)- Special Study (U) Summary (I Sii3li/1:if) Follo\ving the discovery that the National Security Agency/Central Security Service (NSA) received inaccurate call detail records (CD Rs) pursuant to the USA FREEDOrvt Act (UFA), and a subsequent request by two U.S. Senators for an independent revie\v of certain aspects of NSA's UFA progra1n, including whether NSA's deletion was sufficient to ensure that all inaccurate CDRs \vere deleted, the NSA Office of the Inspector General (OIG) conducted a li111ited scope study of NSA 's deletion of CD Rs and data derived frotn those CD Rs (hereafter collectively refe1Ted to as "UFA data objects") ingested prior to 23 May 2018. 1 The OIG generally found that NSA had been successful in deleting thel IUFA data objects derived fron1 CDRs that it received fron1 U.S. telecon1n1unications service ro\•iders under the UFA progran1: that SJ1ould have been deleted, but however, \Ve identified were not based upon NSA s 1n1sta en assun1P,t1on regar 1ng t 1e tt£e-o.ff configurations for a single signals intelligence (SIGINT) repository 2 ·A!\ '<.'I.. result, \Ve n1ake one its controls in the tvent that a future UFA reco1nn1endation to assist the Agency jn su~egthni (bl (3)-P.L. 86-36 f• I .. I (b) 111 (b) (3)-P.L. (U) The OIG also continues to consid·c, Qdditiontil controls associated \Vith NSA 's !Jf~ revle\v. • • • •• 1 2 . •. 0 prognu 86-36 for possible future 1 I i i • (TS.','Sl'.'l'W) Beginning on 29 NoYctnber 20\S. thc UFA a1ncnd1nents to the Fpteign Intelligence Survei!iance Act • (FIS.A.) provided a ne\v n1echtinisn1 for the Govcrn1he111 to obtain orders" for t;,i1"getcd production of CDRs relating to ! tiu!horized investigations to protect tigainst interao1.l~ NSA ~lated thtit, on 30 Novetnber 20 l S. the ~ Foreign fntcl!igence Surveilltinee Court (FISCJ annroved the first ;innlitation under the targeted CDR oroduction ·,, nrovisions of UFA. I • I . . .. . • . . I L OIUllll1111CtlllOtlS 111ettidata IS tile C!Hlllllg. roullng. • auuress1ng. or signaling 1n1onnauon titea \V!l le ectr"nlc co111111unictnio11 events. Con1111unica1ions n1ctada1a • . •. docs not contain the con1cnt of collu11\1nications. I . . .. •. . . ... . . ... I .. ~ as~oc ByJ Classified Deri\·ed Fron1: N A/(·SS:\·I 1-:->2 Dated: 20180110 Declassify On: ~649J2 TOP SECRET//Sl;'tI"\OFOlt!\ NSA FOJA Case 105767 Page 069 l Doc ID: 6672881 'f6f SECltE'f'HSlfiNOFOftN (b) (1) ST-18-0008 .:·. . (b) (3)-P.L. 86-36 deletion is required, and one recom1ne11dation for tl1e Agency to conside.r .wl\ether it needs ~ reissue or revise its notifications to tl1e FISC and tl1e Congress, as detailecfbeloW. : ·• • • (U) Background (T£/ • • I •• •• • • • 1 ~1/If) NSA reported to the FISC, through the* b~part1ne qf ·Justice Nation~! Secur~tY, Division via a Rule 13(b) Disclosure of Nql\-COmpliance notift;:iltion, ".S'111Jp!e1ne11jal Nollet! .for ()rlfers Req~1irng !he" Regarding Applicatio11s o.f the Federffl ·B11relu1 of' !1vestig~fo Procluclion o,f' (.,all Detail ec >rds t >·he 'ec · · s ) ' 11111be1"s,'{ dated 4 June 2018 that • and f00111" a .________....,.provided inaccurate CDRs (~aused by systen1 errors) to NSA ~lie res onding to various docket ntunbers a roved ur t1a11t to UFA. NSA further stated that because.the could not identify tl1e affected CDRs for 15l"SA ~ due to legal restrictions, and beca11se NSA 11ad no way to independently detennine which C:ORs ~ contained inaccurate inforn1ation, NSA did not have a viable way to re1nove affected UFA·data .objects and retain unaffected UFA data objects. As a result, on 23 May 2018, NSA be an deietin° ·· from its SIG INT re ositories all UFA data ob· ects in ested rior to that date. 3 On 1ngeste prior to ay 2018 ata o ~ects had either been Oeleted or aged-off fron1 NSA's SIGINT repositories. Subseq11ently, the OIG conducted independept verification testing fro1n Septen1ber through tnid-October 2018 . . (U/IFOUO) Prior to verrtjcation testing, the OIG obtained fro111 NSA a list that it certified to be accurate and complete of all repositories (hereafter referred to as "declared SIG INT repositories") that retained UFA data objeCts ingested prior to 23 May 2018. The OIG further obtained from NSA the actions it took to del.ete or age-off UFA data objects fron1 the declared SIGINT repositories. It is in1portant to note that the OIG does not have the capability to search NSA syste1ns to independently verify that"the NSA-declared SIGINT repositories are the only systems that retain UFA data objects. IfNSA-were to retain UFA data objects outside of the declared SIG INT repositories (e.g., shared directo;i'e$ accessible by trained and authorized NSA personnel), the OIG would have no way to detect that cfa.ta. 4 As a result, the OIG focused its review only on • 1 • (TS\'~ilW) NSA stated that, as authorized, it retained UFA,datn objects ingested prior to 23 May 2018 that support dissen1inated NSA SIGINT product reports. In a Rule 13(b) 1'Lsclosure ofNon-Cotnpliance notification filed \Vith the FISC on 4 June 2018. NSA stated that it had detennined thnt infonnation in one re on 1eve to contain inaccurate 111 orn18Uon ro111 DRs • • • I it Jut re1ss1 e tie Ill onnaUoll tll • NSA further stated that. 011! ~. "'re"p"'"o"rt-r-------,,,m°"to'-r"'·e"'p°"on,,j-="-'===9 after n1aking the f1~:.esar) revisions f.egardillg correlations; • of data ort 1c reca e rep rt .•L,flsty.~ :ft'!",~;a 1 1 1 filllv 'lt I INT r above) ' (includes the reissued re on disc1~e \V : ~ (U/l'FO!J~ On 5 Scp1cn1ber 20 J 8. NSA isu~ct. t1(.ltki;;, • tO •a11. Ff?££D(),\f Act I5ar1~" .J\!SA pefs@l\Hel \Ve~: : personal files and \vorking papers foi: YP A data objects ingested prior tO 13..'Mse reports. At that tin1e, NSA had not yet JlOtified the FISC that it had ce1npleted the deletion of all UFA data objects i1'-gested prior to 23 May.2018 in responsf to an eatlier compliance problem.~ Therefore, OGC concl11ded that NSA's delay· in. deleting the_ }lata objects was not a neW. co11).pliance violatioii. .. . . . .. . 13(b) (TSHSb'1qffj Subseque1irty, on 25 October 2018, NSA reported to ihe FISC via a Rul~ Disclosure ofNn-C1plia.c~ notification, "Final Notice Regarding 4.pp(iccttions of the F.ederal Burecnt of' Investigation ,fbr Oi·dqrs Req11iri11g the Prod11ctio11 o,f C'(]/I Detail Record<;: to the Nationct! 5'ecurit)' Age11c;1, Various "IJocket N111nbers," that, 011 22 Augnst 2018, NSA confir1ned ... 0 found. NSA personnel \Vere instn1cted to inunedia tCly delete the data. The only alo\~1be exception \Vas tor UFA data objects that support disse1ninated NSA SIGINT prodn~t reports. The Agency did nol.r~uie analysts or rechnical detected and deleted, so tl!ere is no data trail for the personnel to report \Vhether UFA data objects \Vere subeq~nJ:ly OIG to audit ho\v 1nucl1 data \vas detected and deleted as a resu(t t:lfNSA 's instn1ction or'otl.l.er,vise. • . 1'lT~5;/! • I .• this li1ni!ed scope study, the OIG did not revie\\' the tin1eliness of NSA.notiiLcations sent to -external (U) Durin~ ." overseers .. 1"he OIG is currently perforniing a separate study that \Vill generally nssess NSJ! 1f incident n1ani1ge1nent and reportn!E controls. (b) (3)-E'.L. 86-36 .; 6 l (b) (1) (b) (3)-P.L. 86-36 TQP ~ECRT/51i'?\OFK!t 3 NSA FOIA Case 105767 Page 071 Doc ID: 6672881 "f6f SECltETh'Slh'NOFORP\ ST-18-0008 the deletion of UFA data objects ingested prior to 23 May 2018. NSA further stated that after deleting the UFA data objects, it conducted additional examinations of NS A repositories and found data objects that the OIG had a small nu1nber of "CDR remnants" (referring to the discovered) in one system, which inclltded son1e CDR- erived data fields but not the entire CDRs. Separately, on 28 Dece1nber NSA stated tl1at the CDR re11111ants were deleted on 2018, NSA sent Congressional Notifications, "[!ptfate Regc1tlli11g the National .S'ecurit;. AgencJ' 's (NSA) Deletion of Call Detail Recorlls," to tl1e House Pfil1nanent Sel~t Comn1ittee on Intelligence (HPSCI) and Senate Select Com1nittee on Intelligen."ce (SSCI) to·notify the1n of the OIG's discovery and NSA 's deletion of a sn1all nurnber of "e'DR ren1nants;: in one syste111 that sl1ould have been included in the original deletion completed Onl : Jlnd were later deleted 01~ I In botl1 the notifications to the F:CSC and to the PJP I and SSCI, the NSA stated that CDR re1111\aQts were in data fields that "are 11:ot seen or used ~y qle analyst con1n1unity, but are used for tracking"aqd n1anage1nent purposes." '~ 1 ' ... ' ' I "" "" "" "" ..." .... .... .... .... .... .... .... .. •" . "" "" "" "• •• •• .•. ..., (b) (3)-P.1. ..''' • ., (b) (1) (b) (3)-P.L. TQP 86-36 ~ECRTiVSI/?OFltf\ 4 NSA FOIA Case 105767 Page 072 86-36 J Doc ID: 6672881 'f'6f SIECR'fhlNOF~i (b) (3)-P.L. 86-361 •• ST-18-0008 ' .. (U/IPOl:IO) Determine whether the Rule 13(b) notification, is~ed 25 October 2018, and the Congressional Notifications, issued 28 December 201s; should be reissued or revised to clarify statements regarding CDR remnants. .... .. LEAD ACTION: D2 SECONDARY ACTION!" I I I (U) Management Response (U) AGREE The action requested by the subject reco1nn1endation has already been con1pleted. (U/fi~ Notifications issued to the FISC are written and coordinated by the Departn1ent of Justice's National Security Division and written notifications to various co111111ittees of the Congress are coordinated by the Agency's Legislative, State, a11d Local Affairs (P3). S11ch records are not reissued or revised. Supplen1ental infonnation, clarifications, and corrections to sucl1 records are ro11tinely provided through for1nal and infon11ation Executive Brancl1 engage1nents \.vith the FISC and Congress, to the extent otherwise necessary to facilitate oversight of NSA intelligence activities within the relevant jurisdictions of these separate branches of Government. ' " " II ... ... ... .. ,. (U) OIG Comment (U) The planned action 111eets the intent of the recon1n1endation. This recon1111endation has be~n.· closed. (bl (i} (b} (3)-P.L. 86-36 (b} (5) TQP ~ESCRT/l{1"'0FO?( 5 NSA FOIA Case 105767 Page 073 . ... .. . ..... .·. ...... ··. ....., .. . < . < . < ,.' . Doc ID: 6672881 'f'Of (b) (3)-P.L. 86-36 SECR'fhl\~iOFPt ST-18-0008 -~"&, ~ ~ ,, ' ~ ' . ' ' ' " (U//F8UGt Update applicable procedures so that, regardless ofwriat corporate process NSA uses to delete data in response to a future UFA compliancit and/or policy issue, they are sufficient to ensure that the Agency confirms, by review"1g system generated reports, that all UFA data has been deleted from NSA SIGINT repo!:iitories. Furthermore, are relied the procedures should include a requirement that, when age-off ~echanism and review on to delete that UFA data, NSA will confirm the age-off confi~urats system-generated reports to confirm that all UFA data objects are·'not retrievable. -; ; ACTION~ LEAD SECONDARY ACTION (U) Management Response U// .. .. .. .. .. .. .. .. .. ''AGREE I (b) (3)-P.L. (U) OIG Comment 86-36 (b) (5) (U) Tl1e planned action n1eets the intent of the reco1nn1endation. (U) In accordance with NSA/CSS Policy l-60, NSAICSS ()ftice of!he Impec/or General, 24 March 2016, ai1d IG-11925-18, J;o/fo» -11p Procedures/or GIG Final Report Recom1nendations, l August 2018, actions on QIG recommendations are subject to 111011itoring and follow-up until co1npletion. To request that a recon1n1endation be closed, please provide sufficient evidence to show that actions have bee11 taken that fully co111ply \vith the reco111111endation. If you believe an action to be overtaken by eve11ts (QBE) and no longer applicable, please provide a j11stificatio11 and evidence. If a planned action will not be con1pleted by the original target co1npletion date identified in the report, please provide the reason for the delay a11d forward a revised target con1pletion date to the OIG. All requests related to recon11nendation closure, including those reco1111nendations believed to be QBE, should be subn1itted to Follo\v-up Progran1 Manager, at DL DI Followup (ALIAS) DL 1 J:QP ~CRET/i'SIH?\OFN 6 NSA FOIA Case 105767 Page 074 Doc ID: 6672881 TOP Sl!>CRgTIJ~/'Of. ST-18-0008 (U) Further, each tasked Directorate should add reco1nn1endations listed in this report to its existing OIG open reco1nn1endations for inclusion in the bin1onthly updates to the OIG, \\'hich are due I January, I March, I May. 1 July, I Scptcn1bcr, and 1 Novcn1bcr. A separate action \viii be sent for the I March and I Septen1bcr bin1onthly updates in advance of the release of the OIG's Scn1iAnnual Report to Congress. (U/i'FOUO) We appreciate the courtesy and cooperation extended to the evaluators throughout Ion 963-0922(s) or via c-n1ail the revic\v. For additional inforn1ation. please conta~ ~(-b_)3P.L86r• atl l .. ... ··· : ... .1 / J . .... , ROBERT P. STORCH Inspector General (U) This report n1ight not l>e releasable under the Freedon1 of lnforn1ation Act or other statutes and regulations. Consult the NSA/CSS Inspector General Counsel before releasing or posti11g all or part of this report. ·rop SECR'f/;l~48F6Itr< NSA FOIA Case7105767 Page 075 Doc ID: 6672881 'f6f SECRET/fSlh'?JOFOR?J ST-18-0008 (U//FOUOl DISTRIBUTION: DIRNSA D/DIR EX/DIR •.••• I 1.·~ is. ........ •: .. ···.····""'• D Ourbyl I J. G. Sn1ithbcr.1cfl D,,.G.-Gcr;(ci J. Mu Iligan I l1N.. Lni11g1: • I ':. • I ;: •• • •· •• IT. Anthon;!. • .. ' .. ... ' ' I I P7: P. Rc·,....oldsl ~ •• I "' :; : •• • • .., Richard~-1 .i ·~ •• , • (U/>TOUO) cc· 02: P. Mo11·isl 05: R. = ' 86-36 (b) (3)-P.L. . .. .. .. .. . '' I: ' ... '''. .. '. .. .. I .. ... ... .. .... .... .. " " "" ... .... .... .. " . :1 OGCI HPSCI SSC! JG D/IG DI 01,-~' 012 DlJ [) 14 NSA FOIA Case~OS76 Page 076 Doc ID: 6672881 T6f SECKE'fHSI1>'¥oiOFORl'f ST-18-0008 (U) APPENDIX A: MANAGEMENT RESPONSES TB P SEERET:;)'Sl;'f PlB FBRll NS..\/CSS ()FJ.'ICE OF ·r11E INSPl~c·roH. (;ENEH.AL J\'IANAGEl\1ENT H.ESl'ONSE FC)llM l\IEi\'tOllANUUi\'1 ·r(): O!licc of the [nspcclnr (icncrnl (CJ!(;) Fll()l\·1: ()f1icc ofUcncral Counsel. (}pcrational Authorities l'racticc (iroup (1)2 I) (),\.fE: 1.2 tl.·larch 2019 StlB.IE(:·r: (lJ/~) ST-18-0008 ·-Special Study - J)rnll llcport on the Rcvic\v of NSA/('SS's !Jclction nr (\:nain lJSA FRED":IO) Managernent's Con1111ents: • ·rhc action requested by the subject rcco111n1cndation has already been (U/~ con1plctcd. • {U/~ Notifications issued to the Foreign Intelligence Surveillance Court (FIS(') arc \vrittcn and coordinated by the J)cpart1nc11t of J11sticc·s National Security Division and \\Tillcn notifications to various con1n1illccs of the Ct111grcss arc coordinated by the Agency's Legislative. State, and Local Affairs (P3). Such rcconls arc not reissued or revised. S11pplc111c11tal i11forn1atio11. c!arilicntions. and corrections to such records arc routinely provided through ronnal and infonnal Exccuti\'c Branch cngngcn1cnts \vith the flSC' iind Congress. to the extent other\vise necessary to facilitate oversight ofNSA intelligence activities \\'ithin the relevant jurisdictions of these separate branches of (jtl\·l'fll!HCtl\. ..___,,,___. Cld>>1f1ed By! !J<'r•··'"'I (b} (1) (b} (3)-P.L. 86-36 TOP fr(Hll ~JSfl./C·1 l, Sl ll>•fv On i_jl · l'.l".111:.. (b) (3)-P.L. ~J;CRET#SliVP'OFfz 9 NSA FOIA Case 105767 Page 077 86-36 Doc ID: 6672881 'fOf {b) (1) St!:CRE'f/Jbl~.YOF-Pi (b) (3)-P.L. 86-36 ST-18-0008 ....• .. T!f !iE!RETj)'!ilJYIJBFBRIJ • I I 1"!"!,;'.'il//IH·1 {lJl/l'OUO) Lead Action: D2 ' "W(~U/ -'~ Secondary: LI • • • • l__________ {b) (3)-P.L. 86-36 ( lJl'l'GJ' 'O) Additional ('.onunenls: N/1\ Associntc Clcncral Counsel. Opcrational Ainhoritics {bl (3)-P.L. (b) (6) ipp 'I l: ()llicc of the l!lSJK'Ctor General (C)IG) ... ·1 FRCli\I: SllB.JEC:·r: UFA !)clctc Rcpon. ST-18-0008 This n1c111orandu111 provides the NSAIC~ (lJ/~) ICi 2: l~con1dti (3)-P.L. 86-361 . . . .. " .... DATE: 11 11.·1areh 2019 (lJI~) (b) . .• .• ~lt:i •. -. .•·. ' ' ' .• responic'.to the subject draft report. .. .. (U/~ Update npplicablc proccdt11t; ~!hat. rcgardlco$s:of\\hat corponllc process NS1\ us~ to delete data in response to lillurc UIOA t:on1pliancc and/or 11olicy issues. they arc snfticient to : rcvic\1' syi1cri1-gcncratcd reports. that all UFA , ensure that the Agency confinns. \~."rcivng dnta hns been deleted fron1 NSA.~ICl'T repositories. Ft111lrcnnorc. the procedures should include n rcquirc111cnt that. 11·hL'i1 al!c-off 1ncchanisn1s arc'rcOed on to delete that UFA datn. NS.I\ 1vill conlirn1 the age-offconFi£,uratc: 09/30/2019 (LJ/I~) Coordinated \\'ith Secondary ;\ctionce{.s): Yt>sl No __ {LJf/f"6tj@) J\-l:1nagcn1cnt's Con1n1cnts: (U/~)l-f1nvc ~1ordinatc action. • . their response on this I. (U/t~I UNCLASSIFll-D//FS?, 8ffl(11;" US[ 611. 1 J:OP ~ECRTh'SliJ?OF1<7 II NSA FOIA Case 105767 Page 079 Doc ID: 6672881 'f6f SECR'E'i'/i'Sffi1oiOFORf\ ST-18-0008 UNCLASIFED/9~ 9FFICl:\t ~SE J (b) (3)-P.L. Bllt'i' ...•. .. .. • , - > = - ' = " " - - - - - - - - - - -....... I (U/~I •: I • ('"I (lJ~ -~ ·~ .• I • 4.. . ... 'I I ,.... :' I~-., 86-36 i • ' Ll'ad ,\clion:'J-------------IJ11·i!I CLlordinatc thl' ~ procedures rc1·ic11·.! f1ill lcnd the 1erit1cation il4' the event of a future deletion. ,. (lJI/~ ,." Additional Co111n1l'nts ..I (UI/~ Thnnk you for the opportunity to n.:vie1r nnd res iond to the O!G draft re ion. !fvou hal'c fu11her questions or concen1s. please cont:ict thCI I 992-5053. ~1-.J"ONA'l/\L (b) (3)-P.L. 86-36 "l5"A"ll"B"y,..--'f " • [)ircctor of ()pcrations. NSA/CSS UN(l/\S)IFll ll//""91' 6f''l[I. _ e!SI @'ii.,. TQP ~ECRT/tSIi'POFl 12 NSA FOIA Case 105767 Page 080 (b) (6) Doc ID: 6672881 'fOf 8ECRE't'HSb¥NOFORi>t ST-18-0008 UNCLASSIFIED//F'Wlli 9FFl€1 ":L \..JSE 8HPt NSA/CSS OFFICE OF ·rHE INSPECl'OR GENERAL MANAGEMENl' RESPONSE FORM MEM()RANI>UM l'O: Oflice of the Inspector General (C)IU) ffiOM•I I '-------------------<. DATE: l l ,\1arch 2019 SUBJECT: UFA Delete Report, ST-18-0008 (lJ/~ This n1cn1orandun1 provides the NSA/CSS OIG rcsponsl!Jo the subject drafi report. (U/J~ IG Recommendation 2: (U/~ Update applicable procedures so that, regardless of\v"Qat corporate process NSA uses to delete data in response to future UFA con1pliancc and/or policy i'.>sucs, they are sufficient to ensure that the Agency confirms, by revie\ving revic'v systen1-gencr.aicd reports, that al! UFA data has been deleted from NSA Sl(JINT repositories. Furthcnnore, tl\c procedures should include a rcquircn1cnt that, \vhcn age-offn1cchanis1ns arc relied on to dG!ctc that UFA data, NSA \vill conlirn1 the age-off configun1tions and rcvic\v systcrn-gencratcd rcp0[1s to confinn that all UFA datu objects arc not retrievable. ~:;.,ri ··.".".".".".".".".".".".".".".".".". ·J (U/Jti@t;Q) Agree _X_ or Disagree __ (U/~ Target Completion Date: 09/30/2019 (U/~ Coordinated with Secondary Actioncc(s): Y.ci._&_ No__ 1b1131-P.1. s6-36 • (U/~) Management's Comments: (Ul_i't"SWQ)Ll_ _ _ _ _ _ _ _ _ _ _ _ _ action. _,f have coordinated their response on this I UNCl/1';Sil II 1J/;"'o~+.°_ l=QP ~ECRTN51/i'?0FO 13 NSA FOIA Case 105767 Page 081 Doc ID: 6672881 'f6f SECRR'ff/Sb¥Pi0FORP\ ST-18-0008 UNCLASIFED/1'~QR '1••u;;1;,e lei!iE 81ljl¥ I • (U/ - . .. .. ~vilTcordna ~il ... .. ... .. .... .. .... .. .. .. ' I • (U/ I (U/~Lcad trljpg· j procedures revi\~· the event ofa future deletion. (U/~ I .. I .. I ..... ... .. .. .. .-. .... I.. .,.,. .. < .. < < . ... fl· .. ,.. .. .. r ' 86-36 the ::: icad the verification in; Adtlitional Commenls-1 -· < you for the opportunity to rcvie\v and respond to the O!G draft"'l"Cport. Jfyou have( • further questions or concerns, please contact the Capabilities Leadership Support S"l;[vices,j 992-5053. (U/~Thank .. -• • ·1 I xI .. GreqoryL Smi(f;'berQer ~ -LJNCIA~lf/ TOP .. .,,' ~ECRT/SIi'OFN 14 NSA FOIA Case "105767 Page 082 (b) (3)-P.L. I