August 13, 2017

Do NSA compliance reports point to an unknown classification compartment?

(UPDATED December 9, 2017)

On July 12, the American Civil Liberties Union (ACLU) published two Top Secret NSA compliance reports, which were obtained after declassification under the Freedom Of Information Act (FOIA). Here we will take a look the classification marking of these reports, of which one part has been redacted:




Both documents are quarterly reports from the NSA to the Foreign Intelligence Surveillance Court (FISC) on compliance under Section 702 of the FISA Amendments Act (FAA), which governs both the PRISM and the Upstream collection efforts. One of the reports is from March 2014, the other one from March 2015.

More about the content of these two compliance reports can be found in this article by The Hill, as well as in this posting on the weblog EmptyWheel.net. Here we will take a look at the classification of these reports.



Classification marking

The classification line of both reports is: TOP SECRET//[...]/SI//ORCON/NOFORN, which stands for:

- TOP SECRET: the highest classification level
- [...]: an unknown SCI control system
- SI: the SCI control system "Special Intelligence"
- ORCON: the dissemination restriction "Originator Controlled"
- NOFORN: the dissemination restriction "No Foreign Nationals"

As we can see, the double slash behind TOP SECRET is followed by a short space that has been redacted. Then comes a single slash, followed by SI for the control system for Signals Intelligence (SIGINT), which was formerly denoted as COMINT. This means that the redaction also hides a so-called control system, used for protecting national intelligence information concerning sources and methods.

The semiannual Section 702 FAA compliance reports, like this one from 2015, which are prepared by the Attorney General and the Director of National Intelligence, don't have the redacted marking and are just TOP SECRET//SI//NOFORN.

UPDATE:

Meanwhile, a reader suggested that the redacted part of the classification line might hide HCS, which is the abbreviation for HUMINT Control System. HUMINT stands for Human Intelligence, and therefore, HCS is the control system that protects intelligence from the CIA. And indeed, it appears that "HCS" fits the redacted space perfectly:



HCS itself isn't classified, so the reason why this marking appears redacted here, is probably that NSA only declassified its own part and redacted everything related to the CIA. Analysts of the CIA request and receive information from 702 FAA collection, but the scope of their involvement remains classified.

With HCS being the most likely option for the redacted space in the 2014 and 2015 compliance reports, please read the following with that in mind!


STELLARWIND

Another option that comes to mind is the STELLARWIND compartment, which was created in October 2001 to protect NSA's new collection methods as authorized by president George W. Bush. This is officially known as the President's Surveillance Program (PSP) and more popular as the "warrantless wiretapping".

For classification purposes, the abbreviation of STELLARWIND is STLW, which is too long for the redacted space in the marking on the compliance reports. The STELLARWIND classification guide from January 2009 does provide an interesting alternative though, where it says:

"The markings "TSP" and "Compartmented" were at times used in briefing materials and documentation associated with the STELLAR WIND program. "TSP" and "Compartmented" were used primarily by the National Security Agency (NSA) Legislative Affairs Office (LAO), NSA Office of General Counsel (OGC), and the Executive Branch in briefings and declarations intended for external audiences, such as Congress and the courts. The term "TSP" was initially used in relation to only that portion of the Program that was publicly disclosed by the President in December 2005. These markings should be considered the same as the STELLARWIND marking, but should not be directly associated with the program."

In several documents that had been presented to the FISA Court and meanwhile have been declassified by the US government, we can see this TSP marking:



Classified declaration of NSA director Alexander, April 20, 2007.


The two recently declassified compliance reports from 2014 and 2015 were also meant for the FISA Court, and if we try out "TSP", it fits the redacted space remarkably well:


 


PSP/TSP collection (2001-2007)

Under the President's Surveillance Program (PSP), as protected by the STELLARWIND compartment, it became possible for NSA to not only collect fully foreign communications, but also those with just one end foreign - the express aim was to find foreign terrorists with connections inside the US. Under the PSP the following data were collected (with their succeeding legal authorizations):

- Telephony content (since 2008: Section 702 FAA Upstream collection)
- Internet content (since 2008: Section 702 FAA Upstream collection)

- Telephony metadata (2006-2015: Section 215 (BR/FISA) bulk collection)
- Internet metadata (2004-2011: Section 402 (PR/TT) bulk collection)


The bulk collection of internet metadata was brought from the president's authority under that of the FISA Court (FISC) in July 2004, and the same happened with the bulk telephone metadata in May 2006.

The collection of both telephone and internet content became also authorized by FISC orders as of January 2007, which was temporarily replaced by the Protect America Act (PAA) in August 2007 and then permanently by Section 702 of the FISA Amendments Act (FAA) in July 2008.


Section 702 FAA is also the legal foundation for PRISM collection, which started in September 2007 with data being provided by Microsoft. Until October 2012, another eight internet companies had followed. While Upstream collection, at major telecom switches, only provides future communications in transit, PRISM gives access to stored data from a target's past too.

After revelations by the New York Times in December 2005, president Bush admitted that NSA was collecting the one-end foreign telephone and internet content and named it the Terrorist Surveillance Program (TSP). Bush stayed silent though about the other part of the PSP, which involved the bulk collection of domestic metadata.

The latter was first published about in May 2006 by USA Today, but it only became a big issue after June 2013, when Snowden provided the Verizon order to the press.



Another option

As we have seen, the TSP marking fits the redacted space in the classification line of the compliance reports very well, but of course it's always possible that a different abbreviation might be hidden there. In documents that have been declassified earlier, "TSP" was not redacted, so strictly spoken, it shouldn't have been redacted here.

And there's indeed another option: on September 6, 2014, the US Justice Department released a declassified version of a 2004 memorandum about the STELLARWIND program. The classification line of this document has a similar short redaction right after "Top Secret", just like in the compliance reports:



Classification marking of the 2004 DoJ memorandum about STELLAR WIND


Interestingly, "TSP" would also fit the redacted space here - but this wouldn't make much sense, as TSP was meant as a replacement for STELLARWIND for audiences who didn't have a need-to-know for the STELLARWIND cover term - and "STELLAR WIND" is in the classification line here too. Also, the name Terrorist Surveillance Program probably didn't exist in 2004, as it was apparently first used by President Bush in a speech on January 23, 2006.




So, it's not very likely that "TSP" is the marking that was redacted in the 2004 memorandum, but position and length of the marking indicate that it's very well possible that it's actually the same control system as in the classification line of the compliance reports from 2014 and 2015 - with an abbreviation of almost exactly the same length as "TSP".

Regarding the status of this mysterious marking: in the 2004 document it's shown between double slashes, which is strange, because according to the official classification manuals, there cannot be something between two double slashes in that position (see the chart below).

If this double slash is correct, then we would have a complete new category which isn't in the (public) classification manuals. This reminds of the UMBRA marking, which also appeared unexpectedly between double slashes in a classification line.

Another option is that the double slash behind the redacted marking is actually a mistake and there should have been just a single slash, just like in the classification lines of the 2014 and 2015 compliance reports. In this case, the marking represents a normal control system like SI, HCS, and several others mentioned in the classification manuals.



Overview of the categories and formatting for the US classification and control markings
From the Intelligence Community Classification Manual 6.0 from December 2013
(click to enlarge)



In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties