I’m working on a more substantive post on the Section 702 Semiannual Compliance Assessment released last week as part of the I Con dump.
But for the moment, I want to point to a passage that begins to answer a question I asked two months ago: how does the data from NSA’s programs get to the National Counterterrorism Center, which then crunches that data and sends it out to other parts of government.
A footnote of the Assessment notes,
The other agency involved in implementing Section 702 is the National Counterterrorism Center (NCTC), which has a limited role, as reflected in the recently approved “Minimization Procedures Used by NCTC in connection with Information Acquired by the FBI pursuant to Section 702 of FISA, as amended.” Under these limited minimization procedures, NCTC is not authorized to receive unminimized Section 702 data. Rather, these procedures recognize that, in light of NCTC’s statutory counterterrorism role and mission, NCTC has been provided access to certain FBI systems containing minimized Section 702 information, and prescribe how NCTC is to treat that information. For example, because NCTC is not a law enforcement agency, it may not receive disseminations of Section 702 information that is evidence of a crime, but which has no foreign intelligence value; accordingly, NCTC’s minimization procedures require in situations in which NCTC personnel discover purely law enforcement information with no foreign intelligence value in the course of reviewing minimized foreign intelligence information that the NCTC personnel either purge that information (if the information has been ingested into NCTC systems) or not use, retain, or disseminate the information (if the information has been viewed in FBI systems). No incidents of noncompliance with the NCTC minimization procedures were identified during this reporting period. The joint oversight team will be assessing NCTC’s compliance with its minimization procedures in the next reporting period.
This passage has some good news, and some bad news.
The good news is that NCTC gets no unminimized collection, which CIA and FBI do. We have no idea what FBI’s minimization procedures (which does the minimization before NCTC gets it) look like — though elsewhere this Assessment makes it clear that most initial distributions of data from FBI come with US person identity hidden. But at least most US person data will be protected when NCTC gets it.
The bad news is that this is a recent development. It probably post-dates 2011, as John Bates makes no mention of NCTC’s minimization procedures in his October 3, 2011. And the reference to the compliance team reviewing this in the next Assessment (which would cover December 2012 through May 2013) suggests the minimization procedures may be very recent. What has happened with this data in the past?
And explain to me how, if NCTC “may not” receive that US person data that has been referred to FBI because it is evidence of a non-terrorist crime, its minimization procedures explain what to do if they happen to discover such data in their possession. Perhaps the problem is in processing that takes place at FBI (in that such information isn’t adequately segregated), not at NCTC?
Remember, much of the analysis that happens at NCTC can affect US person’s lives, but (unlike much of FBI’s work) doesn’t get reviewed by a court. The data that gets to them might well be particularly sensitive.