In the United States, at least since 2001, there has been legal controversy over what signal intelligence can be used for and how much freedom the National Security Agency has to use signal intelligence. In 2015, the government made slight changes in how it uses and collects certain types of data, specifically phone records. The government was not analyzing the phone records as of early 2019. The surveillance programs were deemed unlawful in September 2020 in a court of appeals case. More specifically, Snowden released information that demonstrated how the United States government was gathering immense amounts of personal communications, emails, phone locations, web histories and more of American citizens without their knowledge. One of Snowden's primary motivators for releasing this information was fear of a surveillance state developing as a result of the infrastructure being created by the NSA. As Snowden recounts, "I believe that, at this point in history, the greatest danger to our freedom and way of life comes from the reasonable fear of omniscient State powers kept in check by nothing more than policy documents... It is not that I do not value intelligence, but that I oppose . . . omniscient, automatic, mass surveillance. . . . That seems to me a greater threat to the institutions of free society than missed intelligence reports, and unworthy of the costs." In March 2014, Army General
Martin Dempsey,
Chairman of the Joint Chiefs of Staff, told the
House Armed Services Committee, "The vast majority of the documents that Snowden ... exfiltrated from our highest levels of security ... had nothing to do with exposing government oversight of domestic activities. The vast majority of those were related to our military capabilities, operations, tactics, techniques, and procedures." When asked in a May 2014 interview to quantify the number of documents Snowden stole, retired NSA director Keith Alexander said there was no accurate way of counting what he took, but Snowden may have downloaded more than a million documents.
Other surveillance programs On January 17, 2006, the
Center for Constitutional Rights filed a lawsuit,
CCR v. Bush, against the
George W. Bush presidency. The lawsuit challenged the National Security Agency's (NSA's) surveillance of people within the U.S., including the interception of CCR emails without securing a warrant first. In the August 2006 case
ACLU v. NSA,
U.S. District Court Judge
Anna Diggs Taylor concluded that NSA's warrantless surveillance program was both illegal and unconstitutional. On July 6, 2007, the
6th Circuit Court of Appeals vacated the decision because the ACLU lacked standing to bring the suit. In September 2008, the
Electronic Frontier Foundation (EFF) filed a
class action lawsuit against the NSA and several high-ranking officials of the
Bush administration, charging an "illegal and unconstitutional program of dragnet communications surveillance," based on documentation provided by former
AT&T technician
Mark Klein. As a result of the
USA Freedom Act passed by
Congress in June 2015, the NSA had to shut down its bulk phone surveillance program on November 29 of the same year. The USA Freedom Act forbids the NSA to collect metadata and content of phone calls unless it has a warrant for terrorism investigation. In that case, the agency must ask the
telecom companies for the record, which will only be kept for six months. The NSA's use of large telecom companies to assist it with its surveillance efforts has caused several privacy concerns.
AT&T Internet monitoring In May 2008,
Mark Klein, a former
AT&T employee, alleged that his company had cooperated with NSA in installing
Narus hardware to replace the FBI
Carnivore program, to monitor network communications including traffic between U.S. citizens.
Data mining NSA was reported in 2008 to use its computing capability to analyze "transactional" data that it regularly acquires from other government agencies, which gather it under their jurisdictional authorities. A 2013 advisory group for the Obama administration, seeking to reform NSA spying programs following the revelations of documents released by Edward J. Snowden, mentioned in 'Recommendation 30' on page 37, "...that the National Security Council staff should manage an interagency process to review regularly the activities of the US Government regarding attacks that exploit a previously unknown vulnerability in a computer application." Retired cybersecurity expert
Richard A. Clarke was a group member and stated on April 11, 2014, that NSA had no advance knowledge of
Heartbleed.
Illegally obtained evidence In August 2013 it was revealed that a 2005 IRS training document showed that NSA intelligence intercepts and wiretaps, both foreign and domestic, were being supplied to the
Drug Enforcement Administration (DEA) and
Internal Revenue Service (IRS) and were illegally used to launch criminal investigations of US citizens. Law enforcement agents were directed to conceal how the investigations began and recreate a legal investigative trail by re-obtaining the same evidence by other means.
Obama administration In the months leading to April 2009, the NSA intercepted the communications of U.S. citizens, including a congressman, although the
Justice Department believed that the interception was unintentional. The Justice Department then took action to correct the issues and bring the program into compliance with existing laws. United States Attorney General
Eric Holder resumed the program according to his understanding of the
Foreign Intelligence Surveillance Act amendment of 2008, without explaining what had occurred. Polls conducted in June 2013 found divided results among Americans regarding NSA's secret data collection.
Rasmussen Reports found that 59% of Americans disapprove,
Gallup found that 53% disapprove, and
Pew found that 56% are in favor of NSA data collection.
Section 215 metadata collection On April 25, 2013, the NSA obtained a court order requiring
Verizon's Business Network Services to provide
metadata on all calls in its system to the NSA "on an ongoing daily basis" for three months, as reported by
The Guardian on June 6, 2013. This information includes "the numbers of both parties on a call ... location data, call duration, unique identifiers, and the time and duration of all calls" but not "[t]he contents of the conversation itself". The order relies on the so-called "business records" provision of the Patriot Act. In August 2013, following the Snowden leaks, new details about the NSA's data mining activity were revealed. Reportedly, the majority of emails into or out of the United States are captured at "selected communications links" and automatically analyzed for keywords or other "selectors". Emails that do not match are deleted. The utility of such a massive metadata collection in preventing terrorist attacks is disputed. Many studies reveal the dragnet-like system to be ineffective. One such report, released by the
New America Foundation concluded that after an analysis of 225 terrorism cases, the NSA "had no discernible impact on preventing acts of terrorism." Defenders of the program said that while metadata alone cannot provide all the information necessary to prevent an attack, it assures the ability to "connect the dots" between suspect foreign numbers and domestic numbers with a speed only the NSA's software is capable of. One benefit of this is quickly being able to determine the difference between suspicious activity and real threats. As an example, NSA director General
Keith B. Alexander mentioned at the annual Cybersecurity Summit in 2013, that metadata analysis of domestic phone call records after the
Boston Marathon bombing helped determine that rumors of a follow-up attack in New York were baseless. in which he stated: "I cannot imagine a more 'indiscriminate' and 'arbitrary invasion' than this systematic and high tech collection and retention of personal data on virtually every single citizen for purposes of querying and analyzing it without prior judicial approval...Surely, such a program infringes on 'that degree of privacy' that the founders enshrined in the
Fourth Amendment". As of May 7, 2015, the United States Court of Appeals for the Second Circuit ruled that the interpretation of Section 215 of the Patriot Act was wrong and that the NSA program that has been collecting Americans' phone records in bulk is illegal. It stated that Section 215 cannot be interpreted to allow government to collect national phone data and, as a result, expired on June 1, 2015. This ruling "is the first time a higher-level court in the regular judicial system has reviewed the NSA phone records program." The replacement law known as the
USA Freedom Act, which will enable the NSA to continue to have bulk access to citizens' metadata but with the stipulation that the data will now be stored by the companies themselves. including
Upstream collection, a mass of techniques used by the Agency to collect and store American's data/communications directly from the
Internet backbone. Under the Upstream collection program, the NSA paid telecommunications companies hundreds of millions of dollars in order to collect data from them. While companies such as Google and Yahoo! claim that they do not provide "direct access" from their servers to the NSA unless under a court order, the NSA had access to emails, phone calls, and cellular data users. Under this new ruling, telecommunications companies maintain bulk user metadata on their servers for at least 18 months, to be provided upon request to the NSA. Eleven percent of these monitored phone lines met the agency's legal standard for "reasonably articulable suspicion" (RAS). The NSA tracks the locations of hundreds of millions of cell phones per day, allowing it to map people's movements and relationships in detail. The NSA has been reported to have access to all communications made via Google, Microsoft, Facebook, Yahoo, YouTube,
AOL, Skype, Apple and Paltalk, and collects hundreds of millions of contact lists from personal email and
instant messaging accounts each year. It has also managed to weaken much of the encryption used on the Internet (by collaborating with, coercing, or otherwise infiltrating numerous technology companies to leave "backdoors" into their systems) so that the majority of encryption is inadvertently vulnerable to different forms of attack. Domestically, the NSA has been proven to collect and store metadata records of phone calls, including over 120 million US
Verizon subscribers, as well as intercept vast amounts of communications via the internet (
Upstream). The NSA also supplies foreign intercepts to the
DEA,
IRS and other law enforcement agencies, who use these to initiate criminal investigations. Federal agents are then instructed to "recreate" the investigative trail via
parallel construction. The NSA also spies on influential Muslim societies to obtain information that could be used to discredit them, such as their use of pornography. The targets, both domestic and abroad, are not suspected of any crime but hold religious or political views deemed "radical" by the NSA. According to a report in
The Washington Post in July 2014, relying on information provided by Snowden, 90% of those placed under surveillance in the U.S. are ordinary Americans and are not the intended targets. The newspaper said it had examined documents including emails, text messages, and online accounts that support the claim.
Congressional oversight The Intelligence Committees of the US House and Senate exercise primary oversight over the NSA; other members of Congress have been denied access to materials and information regarding the agency and its activities. The
United States Foreign Intelligence Surveillance Court, the secret court charged with regulating the NSA's activities is, according to its chief judge, incapable of investigating or verifying how often the NSA breaks even its own secret rules. It has since been reported that the NSA violated its own rules on data access thousands of times a year, many of these violations involving large-scale data interceptions. NSA officers have even used data intercepts to spy on love interests; "most of the NSA violations were self-reported, and each instance resulted in administrative action of termination." The NSA has "generally disregarded the special rules for disseminating United States person information" by illegally sharing its intercepts with different law enforcement agencies. A March 2009 FISA Court opinion, which the court released, states that protocols restricting data queries had been "so frequently and systemically violated that it can be fairly said that this critical element of the overall ... regime has never functioned effectively." In 2011 the same court noted that the "volume and nature" of the NSA's bulk foreign Internet intercepts was "fundamentally different from what the court had been led to believe". Later that month, U.S. District Judge
William Pauley ruled that the NSA's collection of telephone records is legal and valuable in the fight against terrorism. In his opinion, he wrote, "a bulk telephony metadata collection program [is] a wide net that could find and isolate gossamer contacts among suspected terrorists in an ocean of seemingly disconnected data" and noted that a similar collection of data before 9/11 might have prevented the attack.
Official responses At a March 2013
Senate Intelligence Committee hearing, Senator
Ron Wyden asked the Director of National Intelligence
James Clapper, "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" Clapper replied "No, sir. ... Not wittingly. There are cases where they could inadvertently perhaps collect, but not wittingly." This statement came under scrutiny months later, in June 2013, when details of the
PRISM surveillance program were published, showing that "the NSA apparently can gain access to the servers of nine Internet companies for a wide range of digital data." XKeyscore "provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant provided that some identifying information, such as their email or IP address, is known to the analyst." On July 31 NSA Deputy Director John Inglis conceded to the Senate that these intercepts had not been vital in stopping any terrorist attacks, but were "close" to vital in identifying and convicting four San Diego men for sending US$8,930 to
Al-Shabaab, a militia that conducts terrorism in Somalia. The U.S. government has aggressively sought to dismiss and challenge
Fourth Amendment cases raised against it, and has granted retroactive immunity to ISPs and telecoms participating in domestic surveillance. The U.S. military has acknowledged blocking access to parts of
The Guardian website for thousands of defense personnel across the country, and blocking the entire
Guardian website for personnel stationed throughout Afghanistan, the Middle East, and South Asia. In October 2014, the United Nations report condemned mass surveillance programs carried out by the U.S. intelligence communities and other nations as violating multiple global treaties and conventions that guaranteed core privacy rights.
Responsibility for global ransomware attack An exploit dubbed
EternalBlue, created by the NSA, was used in the
WannaCry ransomware attack in May 2017. The exploit had been leaked online by a hacking group, The Shadow Brokers, nearly a month before the attack. Several experts have pointed the finger at the NSA's non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had "
privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] might not have happened". Wikipedia co-founder,
Jimmy Wales, stated that he joined "with Microsoft and the other leaders of the industry in saying this is a huge screw-up by the government ... the moment the NSA found it, they should have notified Microsoft so they could quietly issue a
patch and really chivvy people along, long before it became a huge problem."
Activities of previous employees Former employee David Evenden, who had left the NSA to work for US defense contractor Cyperpoint at a position in the
United Arab Emirates, was tasked with hacking UAE neighbor
Qatar in 2015 to determine if they were funding terrorist group
Muslim Brotherhood. He quit the company after learning his team had hacked Qatari Sheikha
Moza bint Nasser's email exchanges with
Michelle Obama, just before she visited
Doha. Upon Evenden's return to the US, he reported his experiences to the
FBI. The incident highlights a growing trend of former NSA employees and contractors leaving the agency to start up their firms, and then hiring out to countries like
Turkey,
Sudan, and even
Russia, a country involved in
numerous cyberattacks against the US. leading to wide backlash among EU countries and demands for explanation from Danish and American governments.
Buying data without a warrant NSA director
Paul Nakasone disclosed in a letter to Representative
Ron Wyden that the NSA buys data without a warrant. ==See also==