Documents just released by the U.S. government say that far from being a well-oiled machine Alexander described to the security conference last month, the so called business-record metadata gathering program was repeatedly misused, data about activity on certain phone lines was accessed without appropriate authorization and that no single person at the NSA understood the technicalities of the system architecture.
Not only that, the NSA misled the Foreign Intelligence Surveillance Court about its misuse of the data, according to FISC documents from 2009.
At Black Hat, Alexander described the measures taken to ensure that call-detail records gathered by the NSA and stockpiled in a database for five years at a time as well guarded and queried only if there is "reasonable actionable suspicion" that a specific phone number was linked to foreign terrorists.
"The database is like a lockbox," Alexander said at the time. "The controls that go on this database are greater than any data repository in government, and the oversight is the same."
The database consists of date and time of calls, calling number or IP address, called number or IP address, duration of calls or length of emails and the origin of the metadata information. The NSA vacuums up this data from service providers on all calls and taps into it only under controlled circumstances or at least that's how it is supposed to work.
But in 2009 the NSA list of phone numbers being checked consisted mostly of numbers that had not met the reasonable actionable suspicion standard, according to a March 2, 2009 order by FISC Judge Reggie B. Walton.
One problem was that for years, nobody at the NSA understood the system in its entirety. "In fact," Walton wrote, "the government acknowledges that, as of August 2006, "there was no single person who had a complete understanding of the BR FISA system architecture.""
One of the NSA's excuses was that it thought the reasonable actionable suspicion rule applied only to data residing in certain NSA databases, not to data rolling in from service providers about calls being made day-to-day. "That interpretation of the Court's Orders strains credulity," Walton wrote. If that interpretation were accurate, it would mean the rule was merely optional, he wrote.
The NSA further argued that this misuse of the database wasn't surprising because that's how data gathered from other sources is handled. That means the root problem was not that there was a misunderstanding between the NSA and the court, but that the NSA decided on its own that the court-approved rules didn't apply, Walton wrote.
In contrast, at Black Hat Alexander said NSA analysts faithfully follow the court's rules about whether phone numbers can be run through the database. "They have to prove that that meets a standard set by the court that this has that counterterrorism nexus with Al Qaeda related groups," he said. "Then and only then is that number added to a list that can be queried."
Sign up for CIO Asia eNewsletters.