and CivilLiberties Oversight Board

Report on theGovernment s
Use of the Call Detail

Program Under the
USA Freedom Act

Working to ensure that efforts by the Executive Branch to
protect the nation from terrorism appropriately safeguard
privacy and civil liberties .

February 2020
Privacy and Civil Liberties OversightBoard • PCLOB. gov

pclob.gov

 SECRET

Board Members
Adam

I. Klein , Chairman
Jane E . Nitze

Edward W . Felten

Travis LeBlanc
Aditya Bamzai

TOP SECRET

 TOP SECRET

Table of Contents
( U ) Executive Summary

.. . ...

I.

(U Introduction

II.

( U ) NSA ' s Collection of CDRsunder the USA Freedom Act . .

III.

( U ) Operational Use of the USA Freedom Act CDR Program . . . .

IV .

( U ) Legal Analysis ...

V.

( U ) Analysis of Privacy Risks ..

VI.

( U ) Statement of Chairman Adam Klein .. ... ...

VII. ( U ) Statement of BoardMembers Ed Felten and Travis LeBlanc . .. . .

. .

.

VIII. ( U ) Statementof BoardMembersAditya Bamzaiand Jane Nitze

.... . . . ... ..... . ....

(U ) Appendix A . .

(U ) Appendix B . . .. .

TOP SECRET

.

..

 TOP SECRET

( U ) Executive Summary
(U ) The Privacy and Civil Liberties Oversight Board (the “ Board ) presents this report to
provide greater transparency and clarity about the collection of phone call detail records
(“ CDRs” ) under the USA Freedom Act. This authority is scheduled to sunset on March 15 ,
2020 .

( U ) The Board commenced work on this report in January 2019. Subsequently , in early
2019 , NSA suspended its collection of CDRs under the USA Freedom Act. NSA halted the
program “ after balancing the program s relative intelligence value, associated costs, and
compliance and data - integrity concerns causedby the unique complexities ofusing these
provider- generated business records for intelligence purposes.” The Board proceeded to
complete the report, which itoffers to enhance the public s understandingof the program and to
assist Congressas considers the reauthorization of statutory language related to the CDR
program
( U ) Program Legality and Operation

(U ) The USA Freedom Act amended the Foreign Intelligence Surveillance Act (“ FISA” )
to expressly bar the government from using its business records collection authority for bulk
collection . This prohibition effectively ended the bulk telephony metadata program that the
government had operated under the then-existing version of Section 215 of the USA Patriot Act.

(U ) At the same time, the USA Freedom Act allows the governmentto obtain CDRson a
broaderbasis than other business records authorized for collection under the Act. Put simply, it
authorizes the government to collect CDRswithin two hops
., a person s contacts, and those
contacts' contacts
a specific selection term . Specific selection terms, such as a phone
number or InternationalMobile Equipment Identity number, must be associated with a foreign
power engaged in internationalterrorism and be approved by the FISA court. The Act also
provides that CDRscannot include the contents of any communication; the name, address, or
financial information of a subscriber or customer; or cell-site location or global positioning
system information. In 2018, the governmentobtained a relatively low number of FISA court
orders — 14 and collected a large number of CDRs more than 434 million, includingan
unknownnumber of duplicates, involving 19 million phone numbers.

Letter from Director of NationalIntelligence Dan Coats to Senators Richard Burr Lindsey Graham , Mark
Warner, and Dianne Feinstein (Aug. 14, 2019 ).

Classified By: Privacy and CivilLiberties OversightBoard

Derived From
Declassify

SECRET

 TOP SECRET

(U

Findings
(U ) The CDR program was constitutionalunder settled Supreme Court precedent.

•

) NSA

collection of two hops ofCDR data on an ongoingbasiswas statutorily

authorized

(U ) The Board found no abuse ofthe program ; nor did it find any instance in which
governmentofficials intentionally sought records that they knew were statutorily
prohibited.

(U ) NSA acquired landline and wireless phone callrecords under the USA Freedom Act.
The Board found no evidence thatNSA received any of the statutorily prohibited
categories of information, such as name, address, financial information, cell-site location
information, or global positioning system information from providers during the
program ' s operation.
did not use this authority to obtain metadata associated with

(U ) Program Use and Value
( U ) Findings

(U ) NSA typically used the CDR program in response to a terrorist attack or a known
terrorist threat. Forexample, NSA produced intelligence reports that were derived in
whole or in part from the USA Freedom Act CDR program in its analysis of the Pulse
nightclub shooting in 2016 and the Ohio machete attack in 2016 .
(U ) USA Freedom Act CDRswere cited in 15 intelligence reportsover the program s
four-year operation.
(
information

15 reports
USA Freedom Act CDRs, FBIreceived unique
two of the intelligence reports. Based on one report, FBIvetted an

individual, but, after vetting, determined thatno further action was warranted. The
second report provided unique information about a telephonenumber, previously known
to US authorities,which led to the openingof a foreign intelligence investigation ;

 TOP SECRET

( U ) Data Integrity Concerns and Compliance Incidents

( U ) The program experienced a series of compliance incidents and data- integrity
problems, which led NSA to issue about a dozen notices to the FISA court since 2016 . After
repeatedly discovering anomalies in the data it received, NSA suspended the collection of CDRs
in early 2019. NSA subsequently deleted all CDRscollected under the USA Freedom Act.
(U ) Someof the compliance incidents were of types that could have arisen in other
intelligence or equivalent law enforcement collection authorities. These include incidents
involving information inadvertently omitted from a FISA court application, certain NSA officers
who had access to data withoutrequired training, and a provider s production of data beyondthe
end date of an order.
(

Other incidents raise questions unique to the contours of the USA Freedom

Act. Beginning in 2016 , NSA identified a series of data- integrity problems related to
and other data errors. In mostof these cases, NSA systems
unknowingly relied on inaccurate first -hop data to determine which second-hop requests to issue.
Additional compliance incidents arose from other data errors , such as overwriting of data fields
with incorrect or unrelated data .

(U ) These problems, taken together, contributed to NSA' s decision to delete the USA
Freedom Act CDR data in 2018 and again in 2019, and its decision to eventually suspend the
program
( U ) Findings
( U ) Based on a review of the facts, the Board determined thatthe complianceincidents
, notwillful.
were inadvertent

(U ) NSA took steps to remedy each compliance incident, including notifying appropriate
oversightentities, imposingadditional limits on data requests, and deleting erroneously
obtained data.
( U ) In response to each compliance incident that raised questions about the scope of
permitted collection under the statute , NSA chose to follow a narrower, rather than a
more expansive , understanding of its authority under the USA Freedom Act.

2 (U ) Whenever NSA deletedUSA Freedom Act CDRs, it did notdelete underlyingdata thathadbeen used in
disseminated intelligencereportingor data that was considered “missionmanagementrelated information.” This
was consistentwith NSA' s minimization procedures. See Nov. 2015 MinimizationProceduresUsed by the National
Security Agency in Connection with the Production of CDRsPursuantto Section 501of the Foreign Intelligence
Surveillance Act, as amended (“NSA MinimizationProceduresfor CDRs” .

 TOP SECRET

(U ) Introduction
(U ) The Privacy and Civil Liberties OversightBoard ( the “ Board ) presents this reportto
provide greater transparency and clarity on how the government implemented certain authorities
created or extended by the USA Freedom Act. In particular, the report examines collection of
phone call detail records (“ CDRs ) under the USA Freedom Act, which has proven to be of great
public interest. CDRsinclude someof the information that typically appears on a customer 's
phone bill: the date and time of a call, its duration, and the participating phone numbers. CDRs
never include the content of phone conversations. The CDRs received under the USA Freedom
Act also did not include names, street addresses, financial information, global positioning system
information, or cell-site location information.

(U ) The Board hopes this reportwill help Congress, executive branch agencies, and the
public understandthe government s use of these authorities and any related privacy and civil
liberties concerns, particularly in lightof the impending sunset. The Board worked with other
government agencies to declassify information to achieve the greatestdegree of transparency
consistent with the protectionof classified or otherwise privileged information. As a result,
someof the facts presented in this report are being disclosed to the public for the first time. The
Board looks forward to further collaboration with Congress and other executive branch agencies
to “ ensure that liberty concerns are appropriately considered in the development and
implementation of laws, regulations, and policies related to efforts to protect the Nation against
terrorism .
A .

(U ) FISA and the Pre- 2015 Bulk Collection Program

(U ) Since 1998, the Foreign Intelligence Surveillance Act (“ FISA ” ) has permitted the
government to obtain business records for use in national-security investigations. Under the first
iteration of this provision , the government could obtain business records associated with car
rentals, storage units, public accommodations , and common carriers. Any request for business
records in an investigation of a US person must be based on a counterterrorism or

3 (U) 42 U . S. C .

2000ee( )(2).

4 (U ) FISA, originally passed in 1978, created a statutory regimeregulating the government' s use of certain
investigatory techniques for nationalsecurity purposes. Among other things, FISA created a specialcourt
comprised of Article III judges, to hear governmentapplicationsto use those techniques. See 50 U .S . C . 1801et
seq
5 (U ) 50 U . S. C .

1862(b )(2)( B ) (2000 ).

TOP SECRET

 TOP SECRET

counterintelligence investigation that isnotpremised solely on activities protected by the First
Amendment.

(U ) After the 9 /11attacks, Congress passed the USA Patriot Act, which revised the
business records provision of FISA. Specifically, Section 215 of the USA PatriotAct expanded
the business records provision to allow the government to request a FISA court order compelling
the production of any “ tangible things,” including books, records, papers, and documents that are
relevant to an authorized FBIinvestigation.

(U ) Under Section 215 , the FISA court authorized the government' s collection of
virtually all CDRsheld bycertain US phone providers.

This collection program was commonly

referred to as the “
” CDR program . Approximately every 90 days , the governmentfiled an
application with the FISA court requesting an order that providers continue to produce their
CDRsto NSA.

When the FISA court approved an application , the court issued orders,

including secondary orders directly addressed to providers.

The secondary orders required the

providers to produce their CDRs to NSA “ on an ongoing daily basis” for the ninety-day duration
of the order. 12
( U ) NSA stored these CDRsin a database thattrained analystscould access as part of
NSA s counterterrorismmission. 13 In 2013, NSA stated that the program enabled
(

50 U .S . C .

1861(a )(1).

( The full nameof theUSA Patriot Act is the “Uniting and Strengthening America by Providing Appropriate
Tools Required to Interceptand Obstruct Terrorism Act.” Pub . L . No. 107-56 (2001) (codified as amended at 50
U . S.C . 1861et seq.).
8 (U ) Privacy and Civil Liberties Oversight Board, Reporton the Telephone Records Program Conducted under
Section 215 of the USA PatriotAct and on the Operationsof the Foreign Intelligence Surveillance Court (2014)
[hereinafter 2014 Board Report https://www .pclob. gov/ library/215
Report_ on _ the_ Telephone _ Records Program pdf; AmendedMemorandum Opinion In re application of the
FederalBureau of Investigation for an Order requiring the Production of Tangible Things, No. BR 13– 109 (FISA
Ct. Aug. 29 , 2013); Memorandum Opinion, In re Application of the Federal Bureau of Investigation for an Order
Requiring the Production of Tangible Things, No. BR 13– 158 (FISA Ct. Oct. 11, 2013).
(U ) The phrase
collection does notappear in FISA ; rather, it is commonly used in this context to refer to the
collection of largeamounts of data that is not limited by a specific selection term or individualized suspicion . Cf.
PresidentialPolicy Directive 28 2014 ) (defining bulk collection as “ collection of large quantities of signals
intelligence data .
is acquired without the use of discriminants (e. g., specific identifiers, selection terms,
etc .)” ). Collection of data that is not
as commonly understood, may nonethelessresult in the government s
acquisition of very large volumes of data .
10 (U ) See Order, In re Application of the FederalBureau of Investigation for an Order Requiring the Production of
Tangible Things from [Redacted ]
. BR 06 05 2 3 (FISA Ct.May 24, 2006) (“CDR Order”).
(U ) 2014 Board Reportat 23 .
12 (U ) 2014 Board Reportat 23 24 .
13 (U ) 2014 Board Report at 29 .

 " comprehensive” analysis of telephone communications that cross different providers and
telecommunications networks.
chain ”

Once in NSA s database, NSA analysts could contact

or otherwise query the database when authorized under a FISA court order.

The FISA

court order required that one of twenty -two designated NSA officials determine that there was a
reasonable articulable suspicion that the query term was associated with one of the terrorist
groups specified on the court' s order. 17 Contact chaining enabled NSA analysts to retrieve
CDRs relating to a direct phonecontact with a target (the “
contactwith any of the first-hop numbers (the " second hop
contactwith any of the second-hop numbers (the
chaining 18

hop

hop
relating to a direct
and CDRsrelating to a direct
for a total of three hops of contact

(U ) For example, hypothetically, in the aftermath of a terrorist attack in Manhattan, an
NSA analystmay have learned from FBI s New York field officethat the attackerused a
particular phone number.
learning this phone number, the NSA analyst could seek
approval from one of the twenty -two designated NSA officials by showing that therewas a
reasonable articulable suspicion that the phone numberwas associated with a specified terrorist
group. If the designated official approved , the NSA analyst could use that phone number to
query the database of CDRsproduced every day by the providers. The result of the query would
identify CDRsrelatingto direct phone contactswith the attacker ( the first hop) , CDRs relating to
the phonecontacts with the attacker's contacts (the secondhop) , and CDRsrelatingto the direct
contacts with any second-hop numbers (the third hop). “ Somehave suggested that ifNSA ' s
[bulk collection program were in placebefore 9 / 11, it could have alerted the governmentthat
one of the future airplane hijackerswas in the United States, and perhaps have led to the
prevention of the attacks.

14 (U ) See Declaration of Teresa H. Shea, Signals Intelligence Director , National Security Agency at 59 –60, ACLU
v. Clapper, 959 F. Supp . 2d 724 ( S. D . N . Y 2013 ) (No. 13– 3994 ).
15

Contact chaining is a type of analysis in which a

of contacts

linking communicants and identifying additional phone numbers ,

intelligence interest.
seed number

The contact-chaining

of potential
identifiesthe firsthop of contactsmadeby a

andbuildsout further contactsmadeby the first
- hop phonenumbers
thebulk program, the government
used selectorsassociatedwith telephones
, such astelephone

numbers

, to conductcontactchaining
.

See 2014 Board Report at

26 .
16 (U ) See CDR Order at 5 6 ; see also 2014 Board Report at 26 31.
17 (U ) See CDR Order at 5–6 ; see also 2014 Board Report at 27.
18 (U ) Additional information regarding the provenance and operation ofNSA ' s bulk collection program is available
in the 2014 Board Report .
19 (U ) See 2014 Board Report at 153–

.

TOP

 (U ) In 2013, unauthorized disclosures of classified documents by Edward Snowden
revealed the natureand scope ofthe CDR program (among other intelligence activities). The
Presidentand House Minority Leader asked the Board to review aspects of the CDR program .20
The Presidentalso ordered a separate review group to evaluate the program and consider
modificationsto its operations.

B.

(U ) The Board ' s Section 215 Report

(U ) The Board issued its report on the CDR program in 2014 ( the “ 2014 Board
Report”).
In that Report, the Board concluded that the program was not authorized by Section
215 ofthe USA Patriot Act and conflicted with another federal statute, the Electronic
Communications Privacy Act
(U ) The 2014 Board Reportmade two major recommendations concerning the CDR
program : ( 1) theUS government should discontinue the bulk collection program ; 24 and (2 ) to the
extentthe program continued, the executive branch should add certain privacy safeguards.

The

Report contained an additionalten recommendations for enhancing oversight and transparency 26
( U ) In lightof these recommendationsand the report of the President' s review group ,27
the Presidentordered NSA to query the CDRs collected under the CDR program only if ( 1) a
FISA court judge first approved the seed number for such queriesbased on a judicial finding, or
(2 ) in the case of a true emergency.28 Seed numberswere generally phone numbers, butcould

20 (U ) See Remarks by the President at a White House Press Conference (Aug. 9 ,2013),
http:// www.whitehouse.gov/the-press-office/ 2013/08/09/ remarks-president-press-conference; Letter from
DemocraticLeaderNancy Pelosito Chairman David Medine (July 11, 2013), https://www .pclob. gov/library/Letter
Pelosi.pdf
21(U ) The White House, PresidentialMemorandum ReviewingOurGlobal Signals IntelligenceCollectionand
Communications Technologies (Aug. 12, 2013), https://obamawhitehouse.archives.gov /the-press
office/ 2013/08 / 12/presidential-memorandum-reviewing-our- global-signals-intelligence- collec.
22 ( U ) 2014 Board Report.
23 (U ) 2014 Board Reportat 8 – 10 (“ That statute prohibits telephone companies from sharing customerrecordswith
the government except in response to specific enumerated circumstances,which do notinclude Section 215
orders.” .
24 (U ) 2014 Board Report at 168– 72. Two of the five BoardMembers did not believe the program should be
discontinued before an adequate alternative was instituted. See 2014 Board Report at 208 – 18.
25 (U ) 2014 Board Reportat 168–72.
26 (U ) 2014 Board Report at 173– 206 .
27 (U ) The White House, Liberty and Security in a Changing World (Dec. 12, 2013) ,
https://obamawhitehouse.archives.gov/ sites/ default/ files/docs/ 2013- 12-12_ rg_ final_ report.pdf.
28 (U ) The White House, Remarksby the Presidenton Review of Signals Intelligence(Jan . 17, 2014),
https://obamawhitehouse.archives.gov/the -press office/ 2014 /01/17/ remarks-president- review -signals- intelligence;

SECRET

 SECRET

have also been other unique identifiers, such as an International Mobile Subscriber Identity
(“

” ) or InternationalMobile Equipment Identity (“

card or phone, respectively .

” ) number associated with a SIM

Additionally , the President limited query results to CDRswithin

two hops of the query target instead of the previous three. 30 In other words, although NSA still
received the sameCDRs from the same providers, NSA analysts could only retrieve the first two

hops.31
(U ) The Board continued its oversight of the CDR program after releasing its report.
Initially, the Board concentrated on reviewing the government s response to its
recommendations, which the Board summarized in its 2015 Recommendations Assessment
Report.

That report concluded that the government had not implemented the Board' s

recommendation to end the bulk collection of CDRs.

C .

(U ) The USA Freedom Act

(U ) After hearings and debate , Congress enacted the USA Freedom Act on June 2, 2015 .
The President signed it into law that day . The Act amended FISA ' s provisions governing the
collection of business records, imposing new requirements on the government ' s collection of and
access to CDRs.

see also The White House, FactSheet: The Administrations Proposalfor Ending the Section 215 Bulk Telephony
Metadata Program (Mar. 27, 2014), https://obamawhitehouse.archives.gov/the- press-office/2014/03/ 27 /fact-sheet
administration-s-proposal-ending-section-215-bulk-telephony-m .
29 (U ) NSA briefingto the Board (Jan. 23, 2019). An IMSIis generally a fifteen digit number used to uniquely
identify userson a cellularnetwork. The number is either associateddirectly with a phone or, more commonly, is
puton a small chip, known as a subscriberidentificationmodule ( SIM ) card, which is inserted into a cellular
phoneor similar device. An IMEIis a uniquenumbergiven to mobile phones; it is typically found behindthe
battery
30 (U ) The White House, Remarksby the Presidenton Review of Signals Intelligence (Jan. 17, 2014),
https:// obamawhitehouse.archives.gov/ the -press-office/ 2014/01/ 17/ remarks-president-review -signals- intelligence;
see also The White House, Fact Sheet: The Administrations Proposalfor Endingthe Section 215 Bulk Telephony
Metadata Program (Mar. 27 , 2014), https //obamawhitehouse.archives. gov/the-press-office/2014/03/27/fact-sheet
administration-s-proposal-ending-section-215-bulk-telephony-m .
31(U ) TheWhite House, Remarksbythe Presidenton Review of Signals Intelligence(Jan. 17, 2014 ),
https://obamawhitehouse.archives. gov/ the-press-office/2014/01/ 17/remarks-president-review-signals-intelligence;
see also TheWhite House, FactSheet: The Administrations Proposalfor Ending the Section 215 Bulk Telephony
Metadata Program (Mar. 27, 2014), https://obamawhitehouse.archives. gov/the-press-office/ 2014 /03/27 /fact-sheet
administration-s-proposal-ending-section-215-bulk -telephony-m .
32 (U) Privacyand CivilLibertiesOversightBoard, RecommendationsAssessmentReport(Jan. 29, 2015),
https://www. pclob. gov/library/RecommendationsAssessment-Report.pdf.
33 (U ) Unitingand StrengtheningAmericaby FulfillingRights and EnsuringEffectiveDisciplineOverMonitoring
Act of 2015, Pub. L. No. 114 23 129 Stat. 268 (2015 ). Although officially written as the “USA FREEDOM Act,”
wehave used “USA Freedom Act” for readability. Asdefined in the USA Freedom Act, t he term
detail

TOP SECRET

 SECRET

( U ) The USA Freedom Act amended Section 215 to expressly bar the government from
using FISA s business records collection authority for bulk collection of CDRs— that is,
collection not based on a “ specific selection term ” ( such as a phone number) or individualized
suspicion .

NSA no longer obtains CDRs in bulk from providers.

(U ) At the same time, the USA Freedom Act also allowed the government to continue to
obtain CDRson a broader basis than other business records. Specifically, it authorized the
of call detail records using the
government to compel providers to produce both “ a first
specific selection term ” and “ a second set of call detail records using session - identifying
information . . . identified by the first request. Put simply, the USA Freedom Act enabled the
government to collect CDRs within two hops of a specific selection term on an ongoing basis.
(U ) By statute, a specific selection term mustbe a term that“ specifically identifiesan
individual, account, or personaldevice. 36 In practice, NSA does notuse names or “ accounts” as
specific selection terms, and instead uses termsassociatedwith particular electronic devices,
such as phone, IMSI
, and IMEInumbers.

(U ) To obtain a court order compelling providers to produce CDRs, the USA Freedom
Act requires the government to identify a “ specific selection term ” and demonstrate reasonable
articulable suspicion to the FISA court that the term is associated with a foreign power or agent
of

foreign power that is engaged in internationalterrorism or activities in preparation for

record ' ( A ) means session -identifying information (including an originating or terminating telephone number, an
InternationalMobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a
telephone calling card number, or the time or duration of a call, and (B ) does not include (i ) the contents . . . any
communication ; (ii) the name, address , or financial information of a subscriber or customer; or (iii) cell site location
or global positioning system information . ” 50 U .S .C . 1861 k) ( 3).
34 ( U ) See 50 U .S .C . 1861(c )(3 ) (“ No order issued under this subsection may authorize the collection of tangible
things without the use of a specific selection term that meets the requirements in subsection (b ) ( 2 ).
also
discussion of “ bulk collection ” in footnote 9 above .
35 ( U ) 50 U .S . C . 1861(c )( 2 ) (F) (“ An order under this subsection . . shall . . ( ) provide that the Government
may require the prompt production of a first set of call
records using the specific selection term . . . and ] (iv
provide that the Government may require the prompt production of a second set of call detail records using session
identifying information or a telephone calling card number identified by the specific selection term used to produce
call detail records under clause ( iii)[. ]” ) .
36 ( U ) 50 U .S . C . 1861k ) ( ) ( B ) (“ For purposes of an application submitted under subsection (b ) (2 ) (C ), the term
specific selection term means a term that specifically identified an individual , account, or personal device. ” ) .
37 ( U ) 2014 Board Report at 26 ; NSA Civil Liberties and Privacy Office, Transparency Report : The USA
FREEDOM Act Business Records FISA Implementation 4 (Jan . 15 2016 ) ; see also NSA briefing to the Board (Jan .
23 , 2019 ) ; Part III( A ).

TOP SECRET

 TOP SECRET

international terrorism . 38 The statute includes an emergency exception , which allows the
Attorney General to temporarily authorize collection .

(U ) If the FISA court approves a specific selection term , NSA may use that specific
selection term to obtain two hops of CDRs. 40 The technical architecture that NSA created to
collect those CDRs from providers is discussed in greater detail below .

(U ) The USA Freedom Act also implemented a number of other surveillance reformsand
oversightmechanisms. For example, the Act created a panel of cleared amici (technical and
legal experts ) from whom the FISA court can solicit additionalperspectives on mattersof
privacy and civil liberties, communications technology, and other technical or legal matters
presented by its cases. The Act also required that the Director ofNationalIntelligence, in
consultation with the Attorney General, conduct a declassification review of each decision by the
FISA court that includes a novel and significant interpretation and make publicly available to the
greatest extent practicable each decision. Further, the Act required the AttorneyGeneraland
Directorof NationalIntelligenceto report to Congressthe totalnumberof applications approved
by the FISA court under the CDR provision each year.43

38 (U ) 50 U . S . C . 1861b) (2 ) ( C ) (“ Each application. . . shall include. . . in the case of an application for the
production on an ongoing basis of call detail records . . . a statementof facts showing that there are reasonable
groundsto believe that the call detail records soughtto be produced based on the specific selection term . . . are
relevantto
investigationto protectagainst internationalterrorism and there is a reasonable, articulable
suspicion that such specific selection term is associated with a foreign power engaged in internationalterrorism or
activities in preparation therefor[.]” ) .
39 (U ) See 50 U .S .C . 1861(i )( 1) ( A ) (“ [ ]he Attorney Generalmay require the emergency production oftangible
thingsif the Attorney Generalreasonably determines thatan emergency situation requires the production of tangible
things before an order authorizingsuch productioncan with due diligence beobtained [. ” ). The definition of
AttorneyGeneral in FISA includes certain senior level officials in the Departmentof Justice. See 50 U .S. C .
1801( g).
40 ( U ) 50 U .S . C . 1861(c )( ) (F) i ) (“ An order underthis subsection . . . shall authorize the production on a daily
basis of call detailrecords for a period not to exceed 180 days
.
41 (U ) 50 U . S. C . 1803(i )( 1) (“ The presiding judges of the courts established under subsections (a ) and (b ) shall, not
later than 180 days after June 2 , 2015 jointly designate notfewer than 5 individuals to be eligible to serve as amicus
curiae, who shall serve pursuantto rules the presidingjudges may establish. .
42 (U ) 50 U .S . C . 1872(a) (
he DirectorofNationalIntelligence, in consultation with the AttorneyGeneral, shall
conduct a declassification review of each decision, order, or opinion issued by the Foreign IntelligenceSurveillance
Court or the Foreign Intelligence Surveillance Court of Review . . . that includes a significant construction or
interpretation of any provision of law , includingany novelor significant constructionor interpretation of the term
specific selection term
and , consistentwith that review , make publicly available to the greatest extentpracticable
each such decision, order, or opinion.” ) .
43 ( U ) See 50 U . S .C . 1861b )(4 ) ( “ In April of each year, the Attorney General shall submitto the House and Senate
Committeeson the Judiciary and the House PermanentSelect Committee on Intelligenceand the Senate Select
Committee on Intelligence a reportsetting forth with respect to the preceding calendaryear . . . the totalnumber of
10

TOP SECRET

 D.

( U ) Effectsof the ImpendingSunset

(U ) Unless reauthorized, several provisions extended or amended by the USA Freedom
Act will expire, or “ sunset,” on March 15, 2020.
(U ) Most notably , NSA ' s explicit statutory authority to obtain two-hop CDRs associated
with an approved specific selection term will expire . In addition , the explicit prohibition on
using the business records provision to collect records that are notbased on a specific selection
term will expire. The resulting statute would notexplicitly authorize the government to collect
business records beyond one degree of separation from the target, but itwould notexplicitly bar
itfrom doing so either.

(U ) A sunset would also significantly curtail the broader, “ traditional” FISA business
records authority , which would revert to its pre - 9/ 11 text. Before 9 / 11, the statute was limited to
records” from common carriers, public accommodation facilities , storage facilities, and vehicle
rental facilities. Consequently, the government would no longer be authorized to seek broader
business records productions from other, non-enumerated entities.
(U ) The evidentiary standard required to compel production of these recordswould also
becomemore stringent. Specifically, the standard would shift from a showing that the records
sought are relevant to an authorized investigation

current standard — to requiring

specific and articulable facts giving reason to believe that the person to whom the record
pertains is a foreign power or agentof a foreign power.
(U ) Finally , the USA Freedom Act extended the sunsets of two other FISA provisions :
the lone wolf and rovingwiretap authorities.
Without congressional action, these authorities
will also expire on March 15, 2020. 47

applications described in section 1861(b ) (2 )( C ) of this title made for orders approving requests for the production of
call detail records. .
44 ( U ) 50 U. S. C .

1862 (2000 ).

45 ( U ) 50 U . S.C .

1861(b )( 2 )( A ), (c) ( 1); 50 U . S . C .

1862(b ) ( 2) ( B ) (2000 ) .

46 (U ) Under the lone wolf authority , the government can obtain a FISA court order for electronic surveillance of a
non-US person upon a showing of probable cause that such person engaged in international terrorism or activities
in preparation for international terrorism without having to show that the non-US person is doing so on behalf of a
foreign power . The government hasnever used this broadened definition operationally . The roving wiretap
authority modified FISA to permit the government
seek a FISA court order to conduct electronic surveillance
without having to specify the entities from whom technical assistance will be required . This authority enables
continued surveillance should an individual switch from one provider to another .
47 (U ) Some provisions of the USA Freedom Act are not subject to sunset . These provisions include the new
oversight and transparency mechanisms described above .

11

TOP SECRET

 TOP SECRET

E.

( U ) The Board' s ContinuingOversight of CDR

(U ) The Board ' s oversightof the government' s
collection continued after passage
of the USA Freedom Act. In 2016 , the Board reviewed the government's response to the 2014
Board Report recommendations and issued a second recommendations assessment report. 48 In
that report, the Board found that the government had addressed most of its recommendations.

(U ) Since then , NSA has provided the Board with regularwritten and oralnotifications
about significantdevelopmentsin the operation of the CDR program . The Board received
multiplein-person briefings from relevantgovernmentagencies and received responsesto
written and oral questions, aswellas documentrequests. Additionally, the Board hosted a public
forum inMay 2019 to hear from a rangeof expertson the USA Freedom Act. The discussion
focused on the history and implementation ofthe Act, presentchallenges, and the path ahead.
The panelists included academics, former governmentofficials, and representativesfrom non
governmentalorganizations. The Board appreciatesthe timeand observationscontributedby the
participants.

48 (U ) Privacy and Civil Liberties Oversight Board , Recommendations Assessment Report (Feb. 5 , 2016 ),
https://www .pclob . gov/ library /Recommendations _ Assessment _ Report_ 20160205.pdf.
49 (U ) Privacy and Civil Liberties Oversight Board , Recommendations Assessment Report, 1(Feb . 5, 2016 ),
https //www .pclob.gov/ library /Recommendations _ Assessment _ Report_ 20160205. pdf.
50 (U ) Public Forum of the Privacy and Civil Liberties Oversight Board To Examine the USA Freedom Act ,
Telephone Records Program (May 31, 2019), http: //www .pclob. gov.
12

TOPSECRET

 SECRET

II
.

(U ) NSA s Collection of CDRsunder the USA Freedom
Act

(U ) NSA worked with telephony providers to create a technical architecture to collect and
use CDRs under the USA Freedom Act.
This included technical processes and infrastructure
to use approved specific selection terms to obtain , analyze, and controlaccess to the CDRs.
NSA released an unclassified description of this architecture in January 2016 .

The architecture

remained essentially constant throughoutthe life of the program until NSA began dismantling it
in the summer of 2019, after the program was suspended.

(U ) Some of these technicalprocesseswere developed to ensure compliancewith the
minimization procedures approved by the FISA court in 2015 , when theprogram began. The
procedures governed NSA s handling, retention, and dissemination of the CDRs obtained from
providers under the USA Freedom Act. For example, theminimizationproceduresrequired an
initialreview of recordsto confirm that the CDRs were generally responsive to the court' s order,
mandated specific storage standards, andimposed rules for sharingUS person information. 54

A .

(U ) Program Architecture Used to Collect CDRs under
the USA Freedom Act

(U ) Under the USA Freedom Act, CDRs could be collected and used in emergency
situations ( a terrorist attack or an imminent threat) or in day -to -day counterterrorism
investigations. In the immediate aftermath of a terroristattack , collection of USA Freedom Act
CDRsmay have occurred as an emergency authorization, which had to be approved by the
Attorney General.
seek an emergency authorization, NSA personnelwould collaborate
with FBIcounterparts to prepare the proposed authorization for the AttorneyGeneral' s review .56
Only after the Attorney General approved the request could the government directthe providers

51(U ) See 50 U .S .C . 1861(j) (“ The Governmentshallcompensate a person for reasonable expenses incurred for
producing tangible things or providing information, facilities, or assistance in accordance with an order issued with
respectto an application . . . or an emergency production . . . otherwise providing technical assistance to the
Governmentunder this section or to implementthe amendments made to this section by the USA FREEDOM Act of
2015.
52 (U ) NSA Civil Liberties and Privacy Office, Transparency Report: The USA FREEDOM Act Business Records
FISA Implementation (Jan . 15 , 2016 ) (“NSA USA Freedom Act Transparency Report ).
53 (U ) NSA Notice to the Board (Aug 30 , 2019).
54 (U ) NSA Minimization Procedures for CDRs.
55 (U ) 50 U . S. C . 1861(i); see also NSA briefing to the Board (May 23, 2019).
56 (U ) 50 U. S .C.

1861(i); see also NSA briefing to the Board (May 23, 2019 .
13

TOP SECRET

 to produce CDRs associated with the approved specific selection terms. Even in an emergency,
this effort could have taken many hours.
Under the statute, the governmentmust seek FISA
court approval for any emergency authorization approved by the Attorney General within seven
days.
Therefore, almost immediately after the Attorney General' s approval, the government
would begin preparing its filings to the FISA court to ratify the emergency authorization with a
FISA court order. 59

(U ) IfCDRswere sought in a non- emergency scenario, NSA and FBIwould preparethe
specific selection termsand supportingevidenceas described above,but typically over a longer
timeperiod. Attorneys from the DepartmentofJustice would work with NSA and FBIpersonnel
to draft FISA court filings thatdescribed the specific selection termsand explained the
reasonable articulablesuspicion thattheterms are associated with a foreign powerengaged in
internationalterrorism .
This draftingprocessoften took days or weeks, andthe FISA court
could havereviewed the application for severaldaysbefore denying or approvingit.
parallel with that legalprocess, NSA analysts could have continued to conductcontact-chaining
analysis using data available underNSA s other legalauthorities.

1

(U ) Obtaining CDRs

(
NSA acquired landline and wireless CDRs underthe USA Freedom Act
64 Nor did
NSA did notuse the program to obtain CDRsassociated with
the CDR program

collect metadata associated with

57 (U ) NSA briefing to the Board (May 23, 2019).
58 (U) 50 U .S .C . 1861 )(3) ; see also NSA briefing to the Board (May 23, 2019 ).
59 (U ) 50 U. S.C. 1861( )(3); see also NSA briefing to the Board (May 23, 2019).
60 (U ) 50 U.S .C. 1861(b) (2 )(B ); see also NSA briefing to the Board (May 23, 2019).
61 (U ) NSA briefing to the Board (May 23 ,2019); FBIbriefing to the Board (June 19, 2019)
62 (U ) NSA briefing to the Board (May 23 ,2019 ).
63 (U ) NSA briefing to the Board (Jan. 23, 2019).
64
briefing to the Board (Jan. 23, 2019).
See FBIand DOJ
briefingto the Board (Mar. 12

2019) .

14

TOP SECRET

 Once the FISA court approved a specific selection term under the USA Freedom
Act, NSA did not immediately send the specific selection term to providers and request
corresponding CDRs. Instead , NSA first queried for contacts with the specific selection term in
the
an internalrepository containing metadata previously collected by
NSA .
These queries were governed by NSA s policies and procedures , including the NSA ' s

Attorney General-approved Supplemental ProceduresGoverning CommunicationsMetadata
Analysis (“ SPCMA” ). 67 SPCMA allows identifiers associated with both non -US persons and
US persons to be used to query phonemetadata and electronic communicationsmetadata that
NSA already obtained through other lawful collection methods. By doing so, NSA was able to
find first-hop contacts in telephone metadata already in its own holdings, such as intercepted
telephone communicationsmetadata collected pursuant to FISA or Executive Order 12333. 68
(

After it queried the internalmetadata repository, NSA included the specific

selection terms and direct contacts found through the searches in its holdings when it sought
further records from the providers . 69 The system for sending specific selection terms and direct
contacts to the providers and for receiving CDRs in return was referred to as
which we refer to hereas “ System 1.

System 1 marked the specific

selection term and direct contacts for internal record-keeping.

(U ) The providers received the specific selection terms and direct contacts and searched
for any responsive CDRsshowing contactsbetween these numbersand others. Those records
fields
were produced to NSA in a standardized format thathad about50 fields per record.
included information such as the call participants' phone numbers, unique device identifiers of
participants(if applicable) , andthe date, time, and duration of the call. Each record also
contained information about the legal authority under which it was obtained, including a code
indicatingthe specific FISA courtorder.74 Under the USA Freedom Act, CDRs could not
include the contents of any communication, the name, address, or financial information

66 (U ) NSA briefing to the Board (Mar. 26 , 2019).
67 See Department of Defense , Supplemental Procedures Governing Communications Metadata Analysis,
20Supplemental % 20Procedures % 0220080314 .pdf.
https ://www .dni.gov / files /documents /
68 (U ) See NSA USA Freedom Act Transparency Report at 5 – 6 ; see also NSA briefing to the Board (Mar. 26 , 2019).
69 (U ) SeeNSA USA Freedom Act Transparency Report at 7; NSA briefing to the Board (Jan. 23, 2019).
70 (U ) NSA briefing to the Board (Jan. 23, 2019).
71(U ) NSA briefing to the Board (Mar. 26 , 2019) .
72 (U ) NSA briefing to the Board (Mar. 26, 2019 ). The full list of fields is attached as Appendix B.
73 (U ) See NSA USA Freedom Act Transparency Report at 4; NSA briefing to the Board (Mar. 26 , 2019 .
74 (U ) NSA briefing to the Board (Mar. 26, 2019 ).
15

TOP SECRET

 TOP SECRET

ofa subscriber or customer, or cell-site location or global positioningsystem information.
NSA represents that, since the start of the program in November2015, itnever received any
prohibited categories of information from providers under theprogram . 76

(U ) NSA then used System 1 to check the validity of CDRsproducedby the providers.
Among other things, the system checked the code indicatingthe FISA court order to ensure the
collection occurred pursuant to a valid order.
step did not allow NSA to verify that the
CDR accurately described a phone call that had in fact occurred, or that the data did not contain
errors. 78 Rather, NSA used this validation effort to ensure that the CDR fields were plausible
that is , it sought to detectwhen, on its face , a CDR could nothave been a valid response to the
specific selection term . For example, if a field should have a date, NSA systemsconfirmed there
was a valid and appropriate date in that field . In other fields, NSA systems checked for a
particularnumberof digits or a particular formatting, with the goal of ensuringthe CDRswere
properly formatted and not facially incorrect. If one of these validation checks failed for
example, a field that should have a date did not have one— the recordswere held for review by
technical personnelto identify the nature of the anomaly. This prevented NSA analysts from
accessing certain types of potentially unauthorized or incorrect CDRs.
( U) If the CDRs from the provider passed the validation steps, they were passed by
System 1 into otherrepositories, includingthe internalmetadata repository ,where they could be
accessed by NSA analysts.
regularly checked its internal repository to obtain further
CDRs. Related CDRs associated with a specific selection term (first-hop CDRs) were
automatically distributed to the other providers to obtain second-hop records. 82 Similarly, first

75 (U ) 50 U . S .C . 1861k )(3)(B ) (“ The term
detailrecord
notincludethe contents . . . of any
communication; the name, address, or financialinformation of a subscriber or customer; or cell site location or
globalpositioning system information. ” ).
76 (U ) NSA briefing to the Board (May 23, 2019).
77 (U ) See NSA USA Freedom Act Transparency Report at 14 (
s minimization procedures . . . require the
Agency to inspectCDRsreceived from a provider through manual and/ or automatedmeans to confirm that the
CDRsare responsive to the FISC ' s production order. ; NSA briefing to the Board (Mar. 26 , 2019).
78 (U ) The system did not enable NSA to verify the accuracy of the recordsmaintained by the providers
themselves— a reason it took years to discover the data-integrity issues discussed in Part II(B ) of this report. See
NSA USA Freedom Act Transparency Report at 14 (“NSA plays no role in ensuring that the provider-generated
CDRs accurately reflectthe calling events thatoccurred over the provider' s infrastructure[. ) ; NSA briefing to the
Board (May 23, 2019).
79 (U ) See NSA USA Freedom Act Transparency Report at 5 ; NSA briefingto the Board (Mar. 26 , 2019).
80 (U ) See NSA USA Freedom Act Transparency Report at 5 ; NSA briefing to the Board (Mar. 26 , 2019) .
81 (U ) See NSA USA Freedom Act Transparency Report at 5 8; NSA briefing to the Board (Jan . 23 , 2019 ).
82 (U ) SeeNSA USA Freedom Act Transparency Report at, 5 8; NSA briefing to the Board (Jan . 23, 2019 ).
16

 TOP SECRET

hop numbers derived from NSA s metadata collection were sent to providers to enable them to
return any second -hop results
The providers sent any responsive CDRs, including historical
records, back to NSA on an ongoing, automated basis for the life ofthe order. 84 In other words,
NSA was able to obtain a second hop ofCDRs by sending providers the first -hop contacts it
found in its internal repository . Thus, at any given point, the providers were only returning a
single hop of data .
(U )
USAFREEDOM
ACT IMPLEMENTATION

ARCHITECTURE

1: RASApproval
Process

: Provider
Query/ Federation

PHASE3: Analyst
Query Analysis
andReporting

ANALYST

RAS
Justification
NSA
Enterprise
Architecture

Data
Interface

Architecture
.

)

including
results
from the
provider
(
. These
selectors
are
returned
to theData
Interface
.

Analyst
(properly
trained
with
mission

RAS
approved
selectors
, and
provider
s as
request
.

justification
)
NSA
queries

a

in direct
contact
with RAS
selector
are validated
withthe
to

a

'

NSAs Enterprise
Architecture
generates
list
ofselectors
in
direct
contact
witha RAS
selector
byquerying
metadata
NSAalready
lawfully

)

FBI
Application

NSADataInterface
sends
theRAS
approved
selectors
to bequeried
in
NSA
' s Enterprise

(

Data
Interface

Enterprise
Architecture

Application

FISC

Interface

)

Provider
s query
against
their
business
record
holdings
for
containing
RAS
or
selectors
in direct
contact
witha RAS
selector
. Results
returned
to NSA
(

RAS
Approval

Data

PROVIDER
(S

NSA
Enterprise
Architecture

NSA
validates
provider
results
applies
datatags

Provider
results
stored
in the
NSA
Enterprise

andforwards
to
NSA
Enterprise
Architecture

Architecture
as
structured
data

Analysis
and
Reporting

(U )

(U ) This resulted in an iterative process whereby new CDRs from any provider or new
contacts from NSA ownmetadata collection could result in additional responsive CDRs being
produced to NSA automatically for counterterrorism analysis . For example, if two weeks into an
order one provider produced to NSA CDRs showing that a specific selection term contacted
another number, NSA would automatically transmit that new number to the providers asa first
hop contact. With the new contact added, otherproviders might identify new responsive second
hop CDRs that they would then produce to NSA . Likewise, if NSA found contacts between the
specific selection term and another individualvia its Executive Order 12333 collection, the other
individual s number could be sent to each of the providers as a first-hop contact.8 Finally , it
83 (U ) See NSA USA Freedom Act Transparency Reportat 5 8; NSA briefing to the Board (Jan. 23, 2019).
84 (U ) SeeNSA USA Freedom Act Transparency Report at 5 – 8; NSA briefing to the
85 (U ) SeeNSA USA Freedom Act Transparency Report at 5 8 .
17

TOP SECRET

(Jan. 23, 2019).

 TOP SECRET

was also possible for second -hop contacts to become first-hop contacts if they directly contacted
a FISA court-approved 86 specific selection term . Because that individual would now be a first
hop contact, NSA could seek CDRs for its contacts from all providers .
2.

(U ) Analyzing

(U ) When NSA received valid CDRs, they were processed and placed into its
repository. 87 NSA repositories are subject to access controls and cannot be directly reviewed by
NSA analysts . Rather, NSA analysts use software interfaces that validate what data they are
authorized to access, and return information from a repository in response to the analysts
queries.

(U /

metadata records, NSA analysts use generalmetadata viewing tools,

including
which we refer to here as Tool 1. Tool 1 enables NSA analysts to query
one or more datasets to which they have access, includingmultiple types ofNSA metadata
records. 89 Primarily using Tool 1,NSA analysts can input differentterms which they reasonably

expectto return foreign intelligence information and query those termsagainst several different
pools ofmetadata.

( U ) Prior to the passage of the USA Freedom Act, CDRs weremaintained in such a way
that NSA analysts could not query CDRscollected under the former CDR program alongside
othermetadata records collected by NSA in Tool 1.91 NSA later determined that it could use a
single tool, Tool 1, ithad earlier produced to search allmetadata recordsthe analyst was
authorized to review , though this was notcaused by the passage of the USA Freedom Act.
Tool 1 allowed an analyst to search againstall availablemetadata and to use all query termsat
once, saving timeand providinginsights that might otherwise be difficult to uncover. 93
(U ) Using this tool to query different types ofmetadata, while operationally efficient, had
an anomalous side-effect for NSA ' s efforts to countmetadata query terms. A simple example
illustrates the anomaly : A query in Tool 1 about an email address and a US phone number could
automatically ping against CDRsobtained under the USA Freedom Act. This would count as

86 (U ) Or Attorney General-approved under the emergency provision . See 50 U .S .C .

1861 ).

87 (U ) See NSA USA Freedom Act Transparency Report at 5 – 8; NSA briefing to the Board (Mar. 26 , 2019).
88 (U ) NSA briefing to the Board (May 23, 2019).
89 (U ) NSA briefing to the Board (May 23, 2019 .
90 (U ) NSA briefing to the Board (May 23, 2019).
91 (U ) NSA briefing to the Board (May 23, 2019).
92 (U ) NSA briefing to the Board (May 23, 2019).
93 (U ) NSA briefing to the Board (May 23, 2019).

TOP SECRET

 TUI

two query terms of USA Freedom Act CDRs even though using an email address as a query term
in Tool 1would never return USA Freedom Act CDRs. 94 (Those CDRs did not include email
addresses or other unique online identifiers. 95) As a result , the reported number ofUSA
Freedom Act CDR query terms
those CDRs.

included terms that , by their nature , could never have returned

(U ) Using Tool 1 for its operational benefits produced ancillary benefits for oversight and
compliance. The minimization procedures that apply to USA Freedom Act CDRsaddress the
handling, retention, and dissemination ofCDRs, but do not regulate querying
Thus, NSA was
notrequired to track — and did not need to have a particularized foreign intelligence justification
for running
person queries of CDR program data. However, Tool 1 is designed to
automatically require analysts to justify and track US person queries and requires a foreign
intelligence purpose for each query run in order to comply with NSA s other procedures. Using
Tool 1 effectively imposed these requirements as a matter ofpractice on the CDR program . 98
an analyst ran a query that returnedCDRs, the analystwould naturally
want to know additionalinformationaboutthe individualsinvolved, even to the point of
identifyingcommunicantsifpossible. However,

with

identifyinginformation as they entered its repositories. For example, it did not
to the
CDR produced by the provide

99 For example , an NSA analyst could have Tool 1 indicate whether any
were associated with an NSA target of foreign - intelligence interest. 100 An NSA analyst could
the contact in the query
also ask Tool 1 to display certain
,
results
101

94 (U ) NSA briefing to the Board (Mar. 26 , 2019).
95 (U ) NSA briefingto the Board (Mar. 26 , 2019) .
96 (U ) Office of the Directorof National Intelligence, StatisticalTransparency Report Regardingthe Use of National
Security Authorities: Calendar Year 2018, 28 (Apr. 2019) (“ 2018 Statistical Transparency Report ,
https //www .dni.gov/ files/ CLPT/documents/2019_ ASTR_ for_ CY2018.pdf.
97 (U ) See NSA MinimizationProcedures for CDRs.
98 (U ) NSA briefingto the Board (Mar. 26 , 2019).
99 (U ) NSA briefingto the Board (May 23, 2019).
100 (U ) NSA briefing to the Board (May 23, 2019).
101(U ) NSA briefingto the Board (May 23, 2019).
19

TOP

 TOP SECRET

3.

(U ) Access Controls, Logs, and Data Deletion

(U ) Access to NSA systems that contained USA Freedom Act information was
controlled . 102 NSA systems are built to ensure that only users with a valid mission need and
For back
appropriate training are allowed to access stored foreign intelligence information .
end systems not accessible to analysts , including System 1, only particular authorized users can
access those systemsor files. 104 Thus, a pool of analysts had the training and authority to query
CDR program records in Tool 1, and a smaller number of technical personnel were able to view
records that arrived in System 1, including those that failed NSA s initial validation check. 105
(U ) Subjectto certain exceptions, NSA minimization procedures requiredNSA
eventually destroy recordsobtained under the USA Freedom Act. 106 The minimization
procedures required NSA to promptly destroy recordsthat were determined not to contain
CDRswere destroyed under this provision. 108 Records
foreign intelligence information.
collected under the program were otherwise scheduled to be destroyed after five years. 109 This
was to be accomplished by deleting them from the internalmetadata repository and any other
pertinent systems. However, someresidual informationwould remain , such as documentation
that a provider had produced CDRs. 110 Additionally, theminimization procedures allowed NSA
to retain CDRs thatwere the basis of an approved dissemination — that is, intelligence reporting
circulated to other agencies.
practice, NSA deleted all USA Freedom Act CDRs in 2018
and again in 2019; however, CDRsthatwere used in intelligence reporting were not deleted,
though those recordswere no longer available in the internalmetadata repository. 112

B.

(U ) Compliance and Data Integrity Challenges

(U ) Between early 2016 and mid -2019 , the governmentfiled approximately a dozen
notices to the FISA court regardingcompliance and data -integrity issues experienced while

102 (U ) NSA briefing to the Board (Jan . 23, 2019 ).
103 (U ) NSA briefing to the Board (Jan. 23 , 2019).
104 (U ) NSA briefing to the Board (Jan . 23, 2019 ).
105 (U ) NSA briefing to the Board (Mar. 26 ,2019 ).
106 (U ) NSA Minimization Procedures for CDRs.
107 (U ) NSA Minimization Procedures for CDRs at 7 .
108 (U ) NSA briefing to the Board (May 23 , 2019).
109 (U ) NSA Minimization Procedures for CDRs at 7 .
110 (U ) NSA briefing to the Board (Jan . 23, 2019) .
111 (U )NSA Minimization Procedures for
.
112 (U ) See note 2 .

 TOP SECRET

operating the USA Freedom

Act CDR program . A classified appendix describes these incidents

in more detail.
1

(U ) General Compliance Matters

(U ) Some of the notices filed with the FISA court , which are described in this section ,
dealt with compliance incidents which could occur when using other intelligence or equivalent
law enforcement collection authorities and were the result of two types of government error and
one type of provider error .

.

(U Omitted Informationfrom FISAApplication

(U ) In one instance, the same day the FISA court approved the government' s application
under the USA Freedom Act, FBIinformed NSA that it possessed intelligencewhich called into
question facts the governmentrelied on in its application.
attributed its failure to share
asked
of
Justice
to
an
internaloversight
.
this intelligencewith NSA and the Department
the providersto stop producingCDRs for certain specific selection termsaffected by the
omissions and asked the providers to continue production for the specific selection term that was
not affected by the omissionsand continued to meet the statutory requirements.

b.

( U Overproduction

Three days after a valid FISA court order expired, a provider transmitted
CDRsassociated with the expired order to NSA. Upon receiving thefiles, NSA s automated
initialreview in System 1determined thatthe CDRs should nothave been produced and as a
result, ensured thatNSA analysts did not gain access to the files. NSA destroyed all
erroneously transmitted by the provider within a few days.
C.

( U ) Training Compliance Incidents

(U ) NSA discovered that a numberofNSA personnelwere unintentionally granted access
to USA Freedom ActCDRs even though the personnel did nothave training requiredby the
minimization procedures. NSA confirmed that this issue was caused by human error. Among
other corrective steps, NSA revoked access credentials for personnel. In lightof this incident,
NSA sped up its efforts to shift from manualverification of training toward automated
verification. Additionally, NSA analysts improperly shared CDR information via emailwith
NSA analysts who had nothad the formal USA Freedom Act training. In this instance, NSA

113 ( U ) GovernmentNotice to the FISA court

24 , 2016 ).

114 (U ) Priorto the filing of the application, a foreign partnerprovided additional information aboutthe target to FBI.
Dueto an FBIanalyst s annualleave, that additionalinformation was not included in the application. FBIbriefing
to Board staff (Oct. 22 , 2019) ;GovernmentNotice to the FISA court (May 24 , 2016).

21

TOP SECRET

 TOP SECRET

recalled the improperly shared CDR information . No additional improper access occurred
during the duration of the program .

2

(U ) Data

Issues

( U ) Beginning in 2017 and continuing until the program s suspension in 2019 , NSA
sought to diagnose and overcome complex data - integrity issues in the CDRs produced by phone
companies, which implicated a large number of records.
The government s notices to the
FISA court described these issues. This section summarizes NSA s repeated discovery of
anomalies in the data it received and the agency s response to these incidents .
( U ) Production of Inaccurate First-Hop Numbers
first data-integrity incident, a provider produced inaccurate first-hop
numbers to NSA in a subset of CDRs. The provider s system had been incorrectly populating
terminating numbers (the field for a number used by the party receiving a call) with
While System

1 was designed to detectdata whichmaynotbe authorized for collection, these

similarly to data regularly
System
1.
Accordingly
,
the
system
did
not
reject
the
data and instead requested
accepted by
second-hop records using the erroneous first-hop response . As a consequence , NSA requested

non- responsive

records numbers “ one hop” away from the
(

While investigating this incident, the provider identified a separate incident:

records incorrectly produced to NSA as a resultof a
This error was separate from the errors related to the

TS /

The provider implemented a technical solution to prevent incorrect

from being delivered to NSA . NSA identified and purged CDRs that contained these

terminating numbers. NSA did not identify any incorrect CDRsthatwere used in
an application to the FISA court or as the source of reporting.

b.

Production ofInaccurate Data Associated with

another data - integrity incident, a provider produced to NSA almost
CDRswith inaccurate data. The inaccurate data was populated by the
provider' s CDR production system , which assembles the data into
Specifically , when
inaccurate CDRs were created by the provider' s CDR production system over a two year period.

115 (U ) This large number of records reflected a fraction ofonepercentof the overall collection.

TOP SECRET

 TOP SECRET

(U ) The same day it identified the problem , NSA stopped issuing new requests to the
provider for data and also stopped processing data received from the provider into its
repositories . This ensured analysts stopped receiving access to new inaccurate CDRs. NSA
informed its analysts of the inaccurate information produced by the provider and cautioned them
not to rely on CDRs from the affected time period . The provider ultimately implemented a
technical solution to its system to prevent delivery of inaccurate records to NSA .
(

Subsequent internal NSA investigations discovered that prior to the discovery of

the data -integrity issue, some inaccurate CDRs were used to support four applications to the
FISA court seeking USA Freedom Act authorization

On April

11
, 2018 , the governmentfiled a notice informing the FISA court of the inaccurate information
producedby this provider. The governmentalso notified the FISA court of the four applications
that relied on the inaccurate information. NSA deleted CDRsacquired as a resultof these four
applications and recalled one disseminated intelligence report generatedbased on the inaccurate
CDRs

Expanding Accuracy ConcernsLead NSA to Delete
(
connection with its investigation into the provider's production of
, NSA searched for similar anomalous
inaccurate data associated with
data from the other providers and found a number of questionableCDRs. In one instance, NSA
brought the possibility of inaccurate CDRs to the attention of the provider. That provider
confirmed that it also producedCDRswith inaccurate data in

situations. In
a separate trancheof inaccurate CDRs. Those

addition, the providerhad also reported to

CDRs included fields which had been overwritten with unrelated data.

(U ) By May 2018, NSA realized that the providers could notidentify for NSA all the
affected records, and NSA had no way to independently determinewhich recordscontained
inaccurateinformation. Thus, NSA did nothave a viable way to remove the affected recordsand
retain unaffected records. In response, NSA initiated the deletion of all data produced under the
USA Freedom Act by providers. 116 NSA also successfully revalidated all reports produced by
NSA by that time and confirmed they did not rely upon inaccurate CDRs produced in error by
the providers. NSA issued a public statementregardingits deletion of USA Freedom Act
CDRs. 117

116 (U ) In September 2018, NSA

Office of the InspectorGeneralidentified a small number of USA Freedom Act

data objects” derived from CDRs that should have been deleted but were not, based upon NSA ' s mistaken
assumption regarding the technical configurations for a single SIGINT repository . By October 15 , 2018 NSA had
also deleted this data. See NSA Office of the InspectorGeneral, Semi-Annual Report to Congress: 1 October 2018
to 31March 2019, 13 (Jan. 2019) , https://oig nsa . gov.
117 (U ) GovernmentNotice to the FISA court
Deletion , PA-010 - 18 (June 28 , 2018) .

June 4 , 2018 ); see also NSA Press Release, NSA Reports Data

TOP SECRET

 TOP SECRET

d.

U ) AdditionalComplianceIssuesand Concerns

Later in 2018, NSA noticed a larger than expected numberofdata values in
specific fields of CDRs from one provider. The provider discoveredthat ithad producedmore
CDRs with incorrect data associated with authorized specific selection terms.
Workingwith this provider, NSA was unable to rectify the inaccurate data problem .

discussion with this provider, and with the other providers, led NSA
to gain a better appreciation for how all providers maintain their business records in
The government maintains that CDRs created by all

are valid session identifying

providers in

information under the statute because

with the specific selection term and
are included in CDRsshowing a contactand/or connection with the Court-authorized specific
selection term . The governmentinformedthe FISA
of this position. The FISA court did
notexplicitlyaddress this issue in anyorders or hearings.
(U

Suspension of the Program

allowed its last FISA court order issued under the USA Freedom Act to
expire in early 2019. 118 Since then , NSA has not requested any CDRs from providers. On
NSA informed the Board that itwould begin dismantling the System 1 architecture and

would reallocate any remaining fundsto other intelligence programs.

NSA s decision to end

its collection of CDRs under the USA Freedom Act, delete previously acquired records, and
decommission the technical architecture created to effectuate it, was made after balancing the
program ' s relative intelligence value , associated costs, and compliance and data -integrity
concerns caused by the unique complexities of using these provider- generated business records
for intelligence purposes.
subsequently deleted data collected under the USA Freedom
Act. 121

118 (U NSA Notice to the Board (Apr. 17, 2019 ).
119 (U ) NSA oral noticeto Board Executive Director, Lynn Parker Dupree.
120 (U ) Letter from Directorof National Intelligence Dan Coats to Senators Richard Burr, Lindsey Graham ,Mark
Warner, and Dianne Feinstein ( Aug. 14, 2019).
121 (U ) NSA Notice to the Board (Aug. 5, 2019).

 III. (U ) OperationalUse of the USA Freedom Act CDR
Program

(U ) This section describes how an NSA analyst would use the CDR program to assist his
or her counterterrorism mission ; how the CDR program provided analytic material for
intelligence reporting since 2015 ; and how FBI used NSA intelligence reporting in its
counterterrorism and investigative efforts .
A .

(U

How NSA Analysts Used the USA Freedom Act CDR

Program
( U ) As part of its signals intelligence mission, NSA collects foreign intelligence from
communications and information systems to support intelligence needs across the government. 122
To answer terrorism -related requests, NSA maintains an office of counterterrorism within its
operations directorate.
Thatoffice brings all lawfulauthorities and intelligence relationships
to bear in its collection and analysis of signals intelligence , providing valuable insight into the
terrorist threats to the country. 124

(U ) When a new terrorism threat is discovered or a terrorist attack occurs,NSA 's office
Its analysis
of counterterrorism uses all its legal authorities to collect and analyze intelligence.
informspolicymakersand law enforcement about the threat and aids in their decision-making
processes.126 Timeis of the essence in the immediate aftermath of an attack or when an
imminent threat is discovered, so NSA analysts routinely leverage intelligence relationships and
utilize a broad array ofauthorities to obtain and access the highest quality information they can ,
as quickly as they can. 127
(

example, hypothetically, if a terrorist attack occurred in New York City, an

NSA analyst would seek information from an FBIanalyst liaison
analyst would attempt to ensure that any information relating
to the attack in FBI's possession that could legally be shared with NSA was quickly relayed to
NSA. Likewise, NSA would pass any pertinent intelligence to FBI, subject to applicable legal

122 (U ) NSA briefingto the Board (May 23, 2019).
123 (U )NSA briefing to the Board (May 23, 2019 ).
124 (U )NSA briefing to the Board (May 23, 2019 ).
125 (U )NSAbriefing to the Board (May23 , 2019).
126 (U )NSA briefing to the Board (May 23, 2019 ).
127 (U )NSA briefing to the Board (May 23, 2019).
25

TOP SECRET

 TOP SECRET

restrictions. On the other hand, if a terrorist attack were to occur at a US embassy abroad, an
NSA analyst would seek information held by NSA s foreign partners.

(U ) When reaching outto its intelligence partners,NSA would be particularly interested
in any specific selection terms related to the attack or attackers.128 Without such leads, including
specific selection termsshared by partners or discovered by NSA, it is harder for NSA analysts
to queryits intelligence repositories, conduct metadata analysis, and employ other analytic
techniques.129
(U ) Once NSA obtains information about the attack and attacker, an analyst would search
NSA s intelligence repositories to find information previously collected under NSA' s various
legal authorities, such as Executive Order 12333 or FISA . 130 The results of these queries could ,
for example, help the analyst conduct contact chaining to better understand the attacker ' s
contacts and communications.

(U ) The NSA analystmight also work with FBIand the Departmentof Justice to seek
authority to collect CDRsunder the USA Freedom Act.131 If approved , the analyst could use the
resultingCDRsto revealconnections between the attacker and other individuals in the United
States or abroad. 132 The analystwould write a report describing any foreign intelligencefindings
(or, in some cases, simply listing phone numbers or other identifiers associated with the
attacker). That information could then be disseminated, pursuantto the minimization
procedures, to other government agencies involved in counterterrorism , includingFBI.

B.

(U

USA Freedom Act CDRs in Intelligence Reporting

(U ) The number of orders the governmentsoughtunder the CDR program has declined
sharply since its inception . From 2016 to 2018 , the government received 94 FISA court orders
under the USA Freedom Act CDR provision.

2018, the government received 14 FISA

court orders, a steep drop from the two prior years. 134 Despite the relatively low number of
orders, NSA collected , in absolute terms a large number of CDRs. In total, NSA estimates that

128 (U )NSA briefing to the Board (May 23, 2019).
129 (U )NSA briefing to the Board (May 23, 2019).
130 (U )NSA briefingto the Board (May 23 , 2019).
131 U )NSAbriefing to the Board (May 23, 2019).
132 (U )NSA briefingto the Board (May 23 , 2019).
133 (U ) 2018 Statistical Transparency Reportat 28. Those orders related to 93 unique targets.
134 (U )2018 Statistical Transparency Report at 28.
26

TOP SECRET

 SECRET

it receivedmore than 151million CDRsfrom providers in 2016 , 534 millionCDRs in 2017, and
434 million CDRsin 2018. 135

(U ) NSA used these CDRs as part of its contact- chaining analysis. NSA s goal in contact
chaining was to map an attacker ' s ( or potential attacker's) network or find connections between
the attacker and other individuals known to NSA .

To conduct contact chaining, an NSA

analystwould use Tool 1 to query the internalmetadata repository . NSA estimated thatNSA
analysts used 22, 360 such query terms associated with US persons to conduct such queries in
2016 , 31, 196 in 2017 , and 164,682 in 2018. 137 (Note, however, that someof these query terms
were non -telephony identifiers that could not have returned CDRs.) NSA used the results of
these queries, combined with information from other sources, in intelligence reports. These
reports
disseminated to other US governmentagencies, includingFBI, to assist their
counterterrorism efforts.

(U ) It is the Board 's impression that,when combattingterrorism , NSA felt it had to use
all available authorities, including theCDR program . Thiswas done in case the data revealed an
intelligencelead or a terrorist plotthat otherwise would havebeen unknown. However, NSA
told the Board that traditionaltelephonymetadata, like thatobtained through the CDR program ,
was unlikely to show a suspected terrorist' s complete socialnetworkbecause it did not account
for othermodesof communication. 138 Further complicatingmatters, NSA was awareof data
integrity issues with the CDRs, which made them hesitantto rely solely on USA Freedom Act
CDRs. 139
measuring value , NSA often looks to the number of reports that is generated
by a collection platform or methodology.
NSA issued relatively few reports based on CDRs
collected under the USA Freedom Act. Over a span of four years, NSA wrote and disseminated

135 (U ) 2018 Statistical Transparency Report at 30. These numbers include duplicates.
136 (U ) NSA briefing to the Board (May 23 , 2019).
137 (U ) 2018 Statistical Transparency Report at 31. The intelligence community ' s annual statistical transparency
report includes an estimate of thenumber of search terms associated with a US person used to query USA Freedom
Act CDR data. It is likely, however , that these numbers overstate NSA analysts true” queries of information
concerning a US person because NSA analysts group query terms together to run against multiple repositories that
the analyst is authorized to query. The result is that a query containing a large amount of non-telephony metadata
could be run against NSA ' s USA Freedom Act CDR holdings, along with data collected under other authorities
more relevantto the analysis . Each of those query items would count in the numbers reported in the annual
.
Statistical Transparency Reports, even though some queries would not conceivably return USA Freedom Act
138 (U ) NSA briefing to the Board (May 23, 2019 ).
139 (U ) NSA briefing to the Board (May 23, 2019 ).
140 (U ) NSA briefing to the Board (May 23 , 2019 ).

27

TOP SECRET

 TOP SECRET

only 15 intelligence reports derived in whole or in part from these CDRs.141 While NSA would
not expect a metadata collection program to produce as many reports as a content collection
program , NSA characterized the 15 reports based on USA Freedom Act CDRs as extremely low
for a program of this duration, especially in light of the performance of other collection
authorities, includingSection 702.
stated that an intelligence program of similar
duration and costwould be expected to produce thousands or tens of thousands of reports. 143
Board staffreviewed 14 of the 15 reports ;

(U ) NSA typically would use the CDR program in response to a terrorist attack or in
response to a known terrorist threat. NSA used the CDR program in the intelligence analysis of
the following attacks or threats from November 2015 until the program was suspended :

machete attack . 144 On February 11, 2016 , a manwith a machete
attacked customers at the Nazareth Restaurant in Columbus, Ohio . 145 The attack leftfour
restaurantcustomers wounded; the attacker was killed by respondingpolice officers. 146
NSA produced one report derived in whole or in part from USA Freedom Act CDRs as
part of NSA

post- attack investigation and analysis.

nightclub attack . 147 On June 12, 2016 , a mass shooter killed
people andwounded 53 inside Pulse, a nightclub in Orlando , Florida.
The attacker
pledged allegiance to the Islamic State of Iraq and Syria ( ISIS ) during the attack 149
NSA produced two reports derived in whole or in part from USA Freedom Act CDRs
related to the attack duringNSA' s post- attack investigation and analysis.
141 (U ) NSA briefing to the Board (May 23, 2019).
142 (U ) As a comparison, during the same timeframe, a subset of NSA reports derived in whole or in part from data
obtained by NSA under FISA Section
totaled 12,474. 2018 Statistical Transparency Report at 19 . Note that
this figure includes only reports concerning a US person , and notadditional reports derived from data obtained
under Section 702 of FISA that do not concern a US person . NSA briefing to theBoard (May 23, 2019).
143 (U ) NSA briefing to the Board (May 23, 2019) .
144

145 (U ) Cops killman after machete attack at Ohio deli, CBS NEWS Feb . 12, 2016 ).

146 ( U ) Cops kill man after machete attack at Ohio deli, CBS NEWS (Feb . 12, 2016 ) .
147

148 (U ) LizetteAlvarez & Richard Perez Pena, OrlandoGunman AttacksGay Nightclub, Leaving 50 Dead,
N Y . TIMES (June 12, 2016 ).
149 (U ) Lizette Alvarez & Richard Perez Pena, OrlandoGunman Attacks Gay Nightclub, Leaving 50 Dead,
N . Y . TIMES (June 12, 2016) .

TUI

 SECRET

( U ) Potential terrorist threats. The remaining reports produced by NSA which were
derived in whole or in part from USA Freedom Act CDRs cover communications of
persons suspected of having terrorism ties . These reports include information derived
from USA Freedom Act CDRsconcerning a suspected ISIS recruiter;
a US person
located outside the United States who is believed to have been contacted by an
international terrorist group
an individual known to NSA as an ISIS supporter

SECRET

US

 SECRET

person fightingoverseas on behalf of an internationalterrorist group
supporter

suspected ISIS

a person suspected of an association with ISIS.

(
The 14 reports reviewed by Board staffwere all similar in substance. They
provided charts of contacts including, in someinstances, information aboutindividuals of
interest associated with the target. In somecases, a person s contacts were conveyed in multiple
reports. In others, the information regarding a particular person 's contactswas provided in a
single report. The number of contacts listed varied from report to report,

(
The reports combined information derived from USA Freedom Act CDRs
with other information collected by NSA , includingmetadata from collection under Executive
Order 12333 and FISA . For example,
Not
allof the listed communications in this report were identified directly through USA Freedom Act
CDR analysis :
(U ) An importantcaveat attaches to these reports it is facially unclear which
information in them would havebeen unavailablewithouttheUSA Freedom Act CDR program .
This is because the 15 intelligencereports combined data from different authorities, such as
ExecutiveOrder 12333and FISA. In certain instances, NSA and FBIworked together to
determinewhat parts ofa reportcontained unique information gained from USA Freedom Act
CDRs. The valuethat FBIobtained from these reports isdiscussed below.

C .

( U ) FBIUse of USA Freedom

Act CDR Program

Intelligence Reporting
(U ) FBI received all reporting derived from the CDR program . NSA intelligence
reports , including those generated in part from
CDR program , allow readers or users ofthe

156

157

158

159

160 ( U ) FBIbriefingto theBoard(June 11, 2019) .

 TOP SECRET

report to provide feedback .161 NeitherNSA nor FBI is aware of any contemporaneousfeedback
from FBIor others suggesting that any of the 15 intelligencereports were, or were not, usefulfor
these earlier stage investigatory and analytical activities. However, FBIsubsequently conducted
a review ofthe CDR program s contributions. During a briefingto Board staff, FBIexplained
that while mostof the NSA intelligence reports provided redundant information, two reports
provided unique information to FBI.

(U ) Duringits review of thecontributions of the CDR program , FBIdetermined that, of
the 15 reports, 11duplicated information that was already present in FBIfiles.163 Ofthe
remaining four reports, FBIdetermined that two contained information thatwas duplicated by
FBIthrough information that FBIhad received from the use ofother lawful process. 164 This
duplication reflects the fact that FBIcan acquire one-hop metadata using a variety of other legal
authorities, including grand-jury subpoenas. Agents can then progressively expand their map of
a suspect s network by seeking a series of individualized court orders asnew information comes
in

(
reports.

received unique information from the remaining two intelligence
The first report
165

FBIdecided to open a foreign intelligence
investigation

based on the information contained in
NSA s USA Freedom Act intelligence report, which included relevant“ first hop” information
from the USA Freedom Act and relevant information from another legalauthority. 167

168

161 (U ) NSA briefing to the Board (May 23 , 2019).
162 (U ) FBIbriefing to the Board (Oct 23 ,2019).
163 (U ) FBIbriefing to the Board (June 11, 2019).
164 (U ) FBIbriefing to the Board (June 11, 2019 .
165 (U ) FBIbriefing to the Board (June 11, 2019).
166 (U ) FBIdiscussion with Board staff(Aug . 16, 2019 ).
167 (U ) FBIbriefing to the Board (June 11, 2019).
168 (U ) FBIdiscussion with Board staff (Aug. 16 , 2019 ).

TOP SECRET

 TOP

169

(

used informationin the second report to vet one other individual. 170

After doing so, FBIdecided notto open an investigationor take further action 171

169 (U ) FBIbriefing to the Board (June 11, 2019 ).
170 (U ) FBIbriefing to the Board (June 11, 2019).
171 (U ) FBIbriefing to the Board (June 11, 2019 ).

TOP SECRET

 TOP SECRET

IV.

( U ) LegalAnalysis

(U ) The Board' s statute authorizes us to review “ actions by the executive branch relating
to efforts to protect the nation from terrorism to determine whether such actions . .
consistentwith governing laws, regulations, and policies regardingprivacy and civil liberties.”
We understand our statutory mandate to reflect Congress' s desire that it receive a full, fair, and
impartial assessment of a program s legality when the Board issues reports.
Congressno
doubtrecognized that some programs, such as the now -suspended CDR program under the USA
Freedom Act,mightnever give rise to litigation.
Moreover,many of the facts underlying a
program s operation mightremain classified, thereby raising questions in Congress aswell as the
public whether the governmenthas complied with its legal obligations in implementingthe
program . Finally, Congress itselfmightwant additionallegaladvice as it fulfills its
constitutional duty to enact the nation ' s laws. 175
(U ) For these reasons, we consider the USA Freedom

Act CDR program

in light of the

Constitution s Fourth Amendment and the text of the statutory framework .

172 (U ) 42 U .S . C .

2000ee( d) (2) (C )( ii).

173 ( U ) The Board does not issue binding legal judgments like a court, nor does its legal advice bind actors within the
executive branch . See, e. g., 28 U . S. C . $
, 512 (conferring such authority on the Attorney General) ;
Management of Federal Resources, Executive Order 12 ,
. The Board s legaladvice is advisory and relevant to
the extent it has the power to persuade.” Skidmore v. Swift & Co. , 323 U . S . 134 , 140 (1944) .
174 ( U ) With respect to the CDR program , limitations imposed by Article III of the Constitution would likely
preclude a challenge to the program ’ s constitutionality , absent the government s initiation of a criminal prosecution
relying on evidence from the program . See Clapper v Amnesty International, 568 U .S. 398 , 410 (2013) (allegations
relied on a highly speculative fear” that plaintiffs' communications would be collected , rather than demonstrating
that alleged injuries were “ certainly impending” ) ; cf. American Civil Liberties Union v. Clapper, 785 F .3d 787 , 801
(2d Cir. 2015) (plaintiffs challenging bulk CDR program “ need not speculate that the government has collected , or
may in the future collect, their call records” ). The Second Circuit s holding in ACLU v . Clapper rested on the fact
that FISA court orders underpinning the bulk CDR program required
production ofall call detail records or
telephony metadata ,” ACLU v . Clapper, 785 F 3d. at 797 ( internal quotation marks omitted ), an approach to
collection prohibited under the USA Freedom Act.
175 (U ) Our colleagues question the “ utility of a constitutional analysis” given the Board' s " limited time and
resources.” Statement of Ed Felten & Travis LeBlanc at 70. They suggest that is so because the USA Freedom Act
CDR program has been suspended ,” “ its existence and primary contours were publicly known and debated , and it
was subject to oversightby the Foreign Intelligence Surveillance Court.” Statement of Ed Felten & Travis LeBlanc
at 70. Respectfully , we disagree. Although the CDR program may currently be suspended , Congress is considering
the reauthorization of a statutory provision under which the program could be restarted . In addition , the facts of the
program are not publicly known although many such facts have been released to the public for the first time as a
result of the Board ' s report, some remain classified . Finally , FISA court opinions often remain classified
precluding public knowledge of the conclusions constitutional and otherwise — the court reaches. Whether the
government has, in the past, acted consistentwith the Constitution in implementing a classified program is of
significant relevance to public debates over the appropriate statutory regimes to govern such programs.

SECRET

 TOP SECRET

A.

(U ) Fourth Amendment Analysis
.

(U ) Summary

(U ) The CDR collection program authorized by theUSA Freedom Actwas
constitutional. GoverningSupremeCourt case law makes clear that collection of telephone
dialingand routing information is not a search or “seizure” under the Fourth Amendment. The
SupremeCourt' s recentdecision in Carpenter v. United States expresslyreaffirmed that the key
precedentestablishing this principle, Smith v. Maryland, remainsthe law of the land. 176
Meanwhile, theUSA Freedom Actbarred the government from collecting the content of calls or
cell- site location information, twotypes of data that typically require a warrant under Supreme
Courtprecedent.

(U ) Our conclusion accords with the Board' s unanimous conclusion in 2014 that the
previous bulk CDR collection program was constitutional .
That program was more expansive
and had fewer safeguards than this one it involved bulk collection , rather than targeted
collection based on individualized suspicion , and did not require judicial approval of individual
selection terms. If that program was constitutional , it is difficult to see how this much narrower
program would not be. The Board ' s conclusion in its 2014 Report on the bulk CDR program
remains valid : “ Until the Supreme Court rules otherwise , Smith v. Maryland and the third -party
doctrine remain in force today . Government lawyers are entitled to rely on them when
appraising the constitutionality of a given action .
(U ) Finally, we note that our conclusion accordswith Congress s view when it enacted
the USA Freedom Act. Sixty-seven Senators and 338 Membersof the House voted for the Act.
Senators who supported the Actbelieved that it would “ protect[ ] the privacy of individuals” 179
while defendingnational security in a mannerthat is “ respectfulof the . . letter and the spirit of
the Fourth Amendment.
Senate and HouseMembers, includinglong- servingmembersof the
Judiciary Committee, argued that“ theUSA FREEDOM Actrepresentsa return to the basic
principle ofthe Fourth Amendment” 181and effected historic and sweepingreformsto the

176 ( U ) 138 S. Ct. 2206 , 2220 (2018)
177 (U ) See 2014 Board Report at 126 ; 2014 Board Report at 210 (statement of RachelBrand) (“ I agree with the
Board' s ultimate conclusion that the program is constitutionalunder existingSupremeCourt caselaw . ; 2014 Board
Report at 215 ( statementof Elisebeth Cook) (“ Our conclusion that the program doesnot violate the Fourth
Amendmentis unanimous, as itshould be. ) .

178 (U ) 2014 Board Reportat 126.
179 (U Statementof Sen . Leahy, Cong. Reg. S . 3422 (June 2, 2015); see also Cong. Reg. S . 3431( June 2 2015)
(statement of Sen. Wyden ) (“ [ W ]e are going to protect their liberty and we are going to strengthen their security [.]” ).
180 (U ) Statementof Sen . Lee, Cong. Reg. S. 3423 (June 2, 2015).
181 (U ) Statement of Rep. Nadler, Cong. Rec. H. 2916 (May 13, 2015 ).

TOP SECRET

 TOP

government s surveillanceprogram and powers.

TheseMembersbelieved themselves to be

protectingthe Constitution, not violating it. Weagree that the law they enacted was
constitutional

2

(U ) The CDR Program Complied with the Fourth
Amendment

(U ) The Fourth Amendment provides that the “ right of the people to be secure in their
persons, houses, papers, and effects , against unreasonable searches and seizures, shall notbe
violated , and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation ,
and particularly describing the place to be searched , and the persons or things to be seized. ”
( U ) We first consider whether the collection of telephony metadata under the CDR
program constituted a “ search ” or “ seizure” under the Amendment s text as interpreted by
relevant Supreme Court cases . We believe it did not, and that the program was constitutional for
this reason alone . We then consider whether , even assuming it effected a “ search ” or “ seizure , ”
the program was nevertheless “ reasonable ” and , thus, constitutional. Consistent with the Board' s
analysis in its 2014 report , and its disinclination to offer constitutional opinions where
unnecessary , we do not arrive at a conclusion on reasonableness ; rather , we preview the analysis
that a court would likely undertake . We conclude with our thoughts on the separate statement
authored by our colleagues .

(U ) To begin, the collectionofCDRsunderthe CDR program does not constitute a
" search or “ seizure” under controllingFourth Amendmentprecedent. The SupremeCourtheld
in Smith v. Marylandthat the governments acquisition of telephonedialing informationusing a
pen registerdoes not constitutea “ search” under the Fourth Amendment, and therefore does not
trigger the Amendments protections. 184 In Smith, the Courtrejected the argument that a caller
has a “ legitimate expectation of privacy regarding the numbershe dialed on his phone, ” finding
it “ too much to believe that telephone subscribers. . . harbor any generalexpectation that the
numbers they dialwill remain secret.

further held that even if a caller had a subjective

expectation ofprivacy in the numbersdialed, it would notbe “ one that society is preparedto
recognizeas reasonable.

“ This Court” it explained, “ consistentlyhas held thata person

182 ( ) Statement of Rep. Conyers, Cong. Rec. H . 2915 (May 13, 2015 ).
183 (U ) U.S. Const . amend. IV .
184 (U ) See Smith, 442 U .S. 745 46 .
185 (U ) Smith 442 U .S . at 742 43.
186 (U ) Smith, 442 U.S. at 743 (quoting Katz v. United States, 389 U .S. 347, 361 (1967 ) .

 SECRET

has no legitimate expectation of privacy in information he voluntarily turns over to third
parties,

a principle which has since becomeknown as the “ third -party doctrine.

(U ) That holding remains good law, even as the Supreme Court has clarified the Fourth
Amendment s application to new technologies, includingcellular networks. Most recently
2018 ), in Carpenter v. United States, the Courtheld that a demand issued to a third party for cell
The
site location information triggered the Fourth Amendment s warrant requirement.
the
CDR
Freedom Act explicitly excludes cell-site location information from collection under
provision .
And while Carpenter “ decline [d ] to extend Smith and Miller to the collection of
[cell-site location information the Court also reiterated that “ the third-party doctrine applies to
telephone numbers” and explicitly confirmed Smith s continuing viability: “Wedo not disturb
the application of Smith . . .
(U ) Likewise, four years earlier (in 2014), in Riley v . California, the Court held thatthe
search-incident- to -arrest exception to the Fourth Amendment s warrantrequirementdoes not
extend to accessingcontentstored on the arrestee s smartphone. 192 In doing so, the Courtbriefly
addressedtherelationship between itsholdingand Smith. The Court reaffirmed that Smith had
held that “ theuse of a pen registerwas not a search atallunder the Fourth Amendment." 193 It
went on to find Smith inapplicablebecause there was “ no dispute in Riley] that theofficers
engaged in a search of [the] cell phone." 194 In other words, Smith does not allow the government
to collect phone numberswhen the governmentfirst gains access to those numbersby

187 (U ) Smith, 442 U . S. at 743– 44.
188 (U ) See 2014 Board Report at 110.
189 (U ) 138 S . Ct. at 2211 12.
190 (U ) 50 U . S. C. 1861k) (3 )(B )( iii) ; see also NSA USA Freedom Act Transparency Report at 4 (
include . . cell site location or globalpositioning system information[ . ” ) .

do not

191(U ) Carpenter, 138 S. Ct at 2220 (emphasis added) The Supreme Court' s decision in United States v. Miller,
425 U .S. 435 (1976), upheld the collection of bank recordsby subpoena and without a warrant, see Miller, 425 U . S.
at 440, and is often grouped with Smith as a case involvingthe “ third -party doctrine.”
(U ) Lower courts have since held Carpenter inapplicable “ to grand jury subpoenas sent to an internetservice
provider (ISP) and an emailprovider for subscriber information associated with an ISP accountand an email
address,” “ fixed video monitoring, location-revealingbank records, and online-shopping histories.” Alan Z .
Rozenshtein, Fourth AmendmentReasonablenessAfter Carpenter, Yale L .J. Forum 943, 950 – 51 (2019 ) (footnotes
omitted). While we do notnecessarily endorse the reasoning or holdings of these lower court cases (a result
unnecessary to our opinion in this report), they demonstrate that Smith remainsa live partof the jurisprudence after
Carpenter
192 (U ) 573 U . S. 373, 386 (2014 ).
193 (U ) Riley, 573 U .S . at 400 .
194 (U ) Riley, 573 U . S. at 400

36

TOP SECRET

 conducting a “ search .

Collecting CDRs under the USA Freedom Act does notinvolve any

antecedent search by the government; under the Act, the government serves companies with
court orders comparable to those they receive every day in criminal investigations.

(U ) Riley is different from the CDR program for a second reason . In Riley, the
government argued that even if other information on a phone was constitutionally protected , it
“ should always be able to search a phone s call log.
The Court rejected that argument , noting
that smartphone call logs “typically contain more than just phone numbers ; they include any
identifying information that an individual might add, such as the label
house.
The CDR
provision , by contrast, explicitly prohibits the government from obtaining the contents of any
communication , “ the name, address , or financial information of a subscriber or customer , or
location information . 198 Telephony metadata , unlike smartphone call logs, does not include “ any
information that an individual might add” ; rather , it comprises dialing and routing information
recorded by the company .
The type of information that the government may collect under the
USA Freedom Act CDR provision resembles the information collected by the pen register in
Smith rather than the call logs in Riley 200 In short, there is no evidence that
intended to

195 (U ) A simple analogy mightmake this holding clearer. Assume that a suspectwere to leave a paper with a list of
phone numbers insidehis house on his kitchen table. Assumethat the governmentwere to break into the house and
obtain the list of phonenumbers, without probable cause and a warrant, contrary to the Fourth Amendment. The
obtaining the listof phone numbers was not a “ search under the Fourth
governmentcould not then argue that obta

Amendment. The government s immediately preceding actions— namely, breaking into the house without the
requisite cause and warrant would constitute a search under the Fourth Amendment, thereby triggering the
Constitution s protections. See United States v. Turner, 839 F . 3d 429, 434 n.2 (5th Cir. 2016 ) ( There was no
dispute in Riley thatreviewingthe contents of a cell phone involved a search. At issuewas only whether such a
search was permissible without a warrant when conducted during an arrest. ); United States v. Guerrero, 768 F. 3d
351, 360 n .7 (5th Cir. 2014 ) ( “ The [ Riley] Court' s concerns were thus cabined to the unique circumstances of the
search- incident-to - arrest doctrine, and did notoverrule the separate line of cases , including Smith , dealing with
information already in the possession of an identifiable third party. ).
196 (U ) Riley, 573 U . S. at 400.
197 (U ) Riley, 573 U .S . at 400 .
198 ( U ) 50 U . S .C .

1861k ) ( 3 ).

199 (U ) See FISC Order No. 0007- 10, at 2 (May 2 , 2007) (“ Telephonymeta data includes comprehensive
communications routing information, includingbutnot limited to session identifyinginformation ( e .g ., originating
andterminating telephone number, communications device identifier, etc.) , trunk identifier, telephone calling card
numbers and timeand duration of call” ) [declassified, redacted opinion .
200 (U ) Compare 18 U .S. C . 3127(3) (pen register records“ dialing, routing, addressing, or signaling information
butnot the contents of any communication” ) , with 50 U .S . C . 1861k ) 3) (CDRsmay include session-identifying
information ( includingan originatingor terminatingtelephone number, an InternationalMobile Subscriber Identity
number, or an InternationalMobile Station Equipment Identity number) , a telephone calling card number, or the
time or duration of a call, ” butnot
contents . . .
any communication,” “ the name, address, or financial
informationof a subscriber or customer,” or “ cell site location or globalpositioningsystem information” ) ; see also
Riley, 573 U . S . at 400 (distinguishingdigital call logfrom “ pen register at issue in Smith ); NSA USA Freedom Act
Transparency Report at 10 (“ CDRs, per the statute, contain only telephonemetadata and not, for example, the
contents of any personal communication or the caller' s nameor location of any phonecall. .

37

TOP

 TOP SECRET

alter Smith

a point reaffirmed when , as noted above, the Court subsequently made clear in

Carpenter that ithad not“ disturb [ ed ] the application of Smith.

(U ) One-hop collection of CDRs under FISA s business-records provision
also known
as Section 215 (after the section of the USA Patriot Act that brought this authority close to its
current form ), is comparable to the type of CDR production common in criminal investigations.
Much as grand - jury subpoenas can be used to obtain business records relevant to criminal
inquiries, Section 215 authorizes the FISA court to issue orders compelling the production of
“ tangible things, including business records, in national-security investigations
Ordinary
application of Section 215 to collect one “ hop
CDRs seeks to place the government in the
same position when it compels production of information in national- security cases as when it
compels production in criminal cases .

(U ) While the use of Section 215 to obtain “ one hop of CDRswould operate much like
the use of the pen register in Smith v. Maryland , this program raises the additional question of
whether collecting a “ second hop of dialing information as authorized by the USA Freedom
Act, affects the constitutionalanalysis.
(U ) The inclusion of“ secondhop” informationresults in the collection of a large number
ofrecords.
The Court' s decision in Smith does not suggest, however, that thenumber of
phone recordsdetermineswhether collection constitutesa Fourth Amendment“ search ” for
purposesofthe warrantrequirement
.
To the contrary: Smith andmore recent cases focus on
thenature of callmetadatarecords, rather than the number of data points gatheredby the

201 (U ) 138 S . Ct. at 2220 .
202 ( ) 50 U.S . C .

1861.

203 (U ) Specifically, the statute permits the governmentto make an application for an order requiring the production
of any tangible things ( includingbooks, records, papers, documents, and other items) for an investigation to obtain
foreign intelligence information not concerning a United Statesperson or to protect against internationalterrorism or
clandestine intelligence activities, provided that such investigationof a United States person is notconducted solely
upon the basis of activities protected by the first amendmentto the Constitution.” 50 U . S . C . 1861a) ( 1) .
204 ( U ) This is disclosed by the intelligence community 's AnnualStatistical Transparency Reports. See, e. g., 2018
Statistical Transparency Report.
205 (U ) The District Courtopinion in Klayman v . Obama, a challenge to the bulk CDR program , would have taken
the alternative view . See 957 F . Supp. 2d 1, 35 – 36 ( D . D .C . 2013) (“ Admittedly, whatmetadata is has not changed
over time. As in Smith, the types of informationat issue in this case are relatively limited: phone numbers dialed,
date , time, and the like. But the ubiquity of phoneshas dramatically altered the quantity of information that is now
available, and,more importantly, what that informationcan tell the government aboutpeople' s lives. , vacated and
remanded by Obamav . Klayman, 800 F .3d 559 ( D . C . Cir. 2015 ). That opinion was vacated by the D .C . Circuit,
however, and its reasoningas to telephonemetadata has not been adopted by other courts. Moreover, its holding
arose in the contextof the government s program collecting CDRsin bulk . The court did not have occasion to
consider whether the sameanalysiswould apply if the governmentcollected solely the second
metadata.
See, e. g., Klayman v . Obama, 957 F. Supp. 2d at 35 – 36 ( relying on the “ all-encompassing, indiscriminate” nature of
the collection under the previousbulk telephony program ).

TOP SECRET

 SECRET

governmenton a programmaticlevel. The Courtin Carpenterv. UnitedStates, for example,
distinguished cell- site location data from Smith s pen registerby notingthat the former is more
revealing: “ Afterall, when Smith wasdecided in 1979, few could have imagineda society in
which a phone goeswherever its ownergoes, conveyingto the wirelesscarriernotjust dialed
digits, but a detailedand comprehensiverecord of the person s movements. 206 Similarly, Smith
explained that “ pen registersdo notacquire thecontents of communications
,” “ do nothear
To be sure,
sound, ” and “ discloseonly the telephonenumbersthat havebeen dialed.”
collection oftelephonemetadata at this scale raises legitimate policy concerns aboutits
implicationsforprivacy and civil liberties. Butthe SupremeCourthasnotelevated those
concernsto a constitutionaldimensionby holdingthat collection of telephonecallmetadata can
constitute a Fourth Amendment search” or “ seizure. 208
b

( U ) Even assuming that the collection of CDRs under the CDR program could constitute
a “ search or “ seizure ” under the Fourth Amendment, the program could find a constitutional
basis under a separate strand of Fourth Amendment jurisprudence arising in the national security
context . The Supreme Court has acknowledged that the Fourth Amendment may require
different safeguards ” in the national security context than in ordinary criminal cases 209 Indeed ,
in Carpenter , the Court explained that its “ opinion d [id ] not consider other collection techniques
involving foreign affairs or national security .” 210
(U ) Based on such language, lower courts, including the Foreign Intelligence
Surveillance Court of Review , have embraced a “ foreign intelligence” exception to the Fourth
Amendment s warrantand probable cause requirement. 211 These courts have held that foreign
206 ( U ) Carpenter, 138 S . Ct. at 2217 (emphasisadded).
207 (U ) Smith, 442U . S. at 741
208 (U ) Wedo not addresswhether and how the quantity of data collected by the governmentimpactsthe Fourth
Amendmentanalysiswith respectto other typesofinformation. Cf. Carpenter, 138 S . Ct. at 2217 n.3 .
209 ( U ) Katz v. UnitedStates, 389 U . S . 347, 358 n.23 (1967); United Statesv. U. S. Dist. Court for E . Dist. ofMich.,
407 U .S . 297, 308– 09 & n.8 (1972).
210 ( U Carpenter, 138 S. Ct. at 2220 .
211 ( U ) See In reDirectivesPursuantto Section 105B of Foreign IntelligenceSurveillanceAct, 551 F.3d 1004, 1010
(FISA Ct. Rev. 2008); United States v. TruongDinh Hung, 629 F .2d 908, 915 (4th Cir. 1980) ; accord United States
v. Butenko, 494 F .2d 593 (3d Cir. 1974) ; United Statesv. Brown, 484 F 2d 418 (5th Cir. 1973) . Ourcolleagues
would not here rely on theforeign intelligenceexceptionto thewarrantrequirementor, more generally, the special
needsexception. See Statementof Ed Felten and Travis LeBlancat 71n .336. Yet they do notmake clear whether
any other exceptionwould apply. Their reluctan[ce]”
rely on the specialneedsexception is groundedin a
citation of a decades- old dissentingopinion of the SupremeCourt. Statementof Ed Felten and Travis LeBlancat 71
n. 336 ( citingSkinner . Railway Lab Execs. Ass n 489 U . S. 602 ( 1989) (Marshall, J., dissenting)), but that
exceptionhaslongbeentreated as settled law by the SupremeCourt, see, e.g., LosAngeles v. Patel, 135 S . Ct. 2443,
2452 (2014) (“ Search regimes where nowarrantisever requiredmaybe reasonablewhere specialneeds. . . make
the warrantand probable-cause requirementimpracticable, and where the primary purpose ofthe searchesis

TOP SECRET

 SECRET

intelligence searchesmust satisfy the Fourth Amendment requirement of “ reasonableness,
rather than the usual requirement thatthe government obtain probable cause and a warrant.
(U ) The Foreign Intelligence Surveillance Court of Review has explained current
doctrine in the following manner:
( U ) When law enforcementofficialsundertakea search to uncover evidenceof
criminalwrongdoing, the familiarrequirementof a probable-cause warrant
generally achievesan acceptable balance between the investigativeneedsofthe
governmentand theprivacy interests of thepeople. Butit has longbeen
recognized that some searchesoccur in the service of specialneeds, beyond the
normalneed for law enforcement,” and that, when it comes to intrusionsof this
kind, thewarrantrequirementis sometimesa poor proxy for the textual command
ofreasonableness.

(U ) [ I ] this context, the warrant requirementis ill-suited to gauge what is
reasonable. The textual command of reasonableness— theultimate touchstoneof
the Fourth Amendment,”

stillgoverns. Indeed, it retains itswhole force

( U ) Reasonableness analysis
[ s] the totality of the circumstances and weigh [s ]
the promotion of legitimate governmental interests against the degree to which the search
intrudes upon an individual s privacy . 213 Various factors would be relevant to assessing the
Fourth Amendment reasonableness of the CDR program . The presence of privacy protecting
measures,

including

approved targeting and minimization ” procedures , forms one

distinguishablefrom the generalinterestin crimecontrol
.” ( citations, brackets, and internalquotationmarks
omitted)) (per Sotomayor
, J.) , and providesthe constitutionalbasisfor the passengerscreeningcarried outby the
TransportationSecurity Administrationatairportcheckpoints
. See Ruskaiv. Pistole, 775 F.3d61
, 68 (1st Cir. 2014 )
(“ The courts of appealstreattransit security screeningsas administrative
' or specialneeds' searches, whichmay be
conducted, atleastinitially, without individualizedsuspicion, a warrant
, or probablecause. collectingcases) .
212 ( U ) In re CertifiedQuestion of Law, 858 F .3d 591, 605, 607 (FISA Ct. Rev. 2016) (citationsomitted) . The
courts holdingis instructiveon the question weaddresshere. The courtheld: “ when the government
, acting
pursuantto a program ofsurveillanceinvolvinga legitimateobjectivethat goes beyondeverydaycrimecontrol
,
seeksto use a pen registerdirected at a person locatedin the UnitedStateswho is reasonablybelieved to be engaged
intelligence activities on behalf of a foreign government, it may do so without obtaining a probable
in clandestineinte

cause warrant even if its monitoringofpost-cut-through digits constitutes a search under the Fourth Amendment.”
In re Certified Question of Law , 858 F.3d at 605. In other words, the court held that, even ifthe particular collection
atissuein the case would constitute a “ search” and therefore require a warrantin the criminal context,a probable
cause warrant” was notrequired in the context of a foreign-intelligence search. The court went on to hold that “[t ]he
search, assuming it is one, isreasonable.” In re Certified Question of Law, 858 F .3d at 607 .
213 (U ) United States v.Mohamud, 843 F .3d 420, 441(9th Cir. 2016) (quotingMaryland v. King, 569 U. S. 435 , 448
(2013) (brackets and internalquotation marks omitted )).
40

TOP

 Others include the nature of the
“ important component of the reasonableness inquiry .
information collected , the privacy interest that attaches , and the government interest in the
collection .

(U ) In conducting this analysis, courts assess whether a proposed investigatory activity
was reasonable given what the government knew at the time, rather than with the benefit of
hindsight. In other words, rather than assess the success of a particular wiretap or a particular
program based on what the government discovered , a court conducts a reasonableness analysis
by placing itself in the shoes of a government investigator at the time of the government
search . ” As then -Judge Scalia put the point, just as
search is not to be made legal by what it
turns up ,' the fact that, ex post, a wiretap is seen to have been unsuccessful in developing
national-security information does not establish that, ex ante, it was not reasonable to conduct it
for that purpose . 215 Similarly , then -Judge Ruth Bader Ginsburg explained t hat probable
cause may have been absent when viewing the arrest ex post does not in and of itself establish
that the officer acted in an objectively unreasonable manner ex ante. 216 Indeed, the contrary
rule would mean that every government search that was lawfully predicated at the time would
ultimately be unreasonable
it failed to discover evidence related to a crime or foreign
intelligence . On that logic , every time the government properly elected , as a matter of sound
policy , to shut down a program , the program would become unconstitutional because the
government had effectively conceded that the program s costs outweighed its benefits .

214 (U ) Mohamud, 843 F. 3d at 443.
215 (U ) Smith v. Nixon, 807 F. 2d 197, 203 ( D . C . Cir. 1986) (quoting United States v. DiRe, 332 U . S. 581595
(1948) (footnote omitted ) .
216 (U ) Martin v. Malhoyt, 830 F .2d 237, 263 ( D . C . Cir. 1987); see also Anderson v. Creighton, 483 U . S. 635, 639
(1987) (observing that the relevantFourth Amendment inquiry iswhether “ in the lightof preexistinglaw the
unlawfulness” of governmentaction was “ apparent and describingthe question as an objective(albeit fact
specified) inquiry into whether a reasonableofficercould havebelieved action was legal) . For other cases usinga
similar approach in a variety of Fourth Amendment- related circumstances, see Brucev. Guernsey, 777 F . 3d 872 (7th
Cir. 2015) (“Guernsey also argues that the fact that Brucewasultimately admitted to the hospital and later
involuntarily committed to a behavioralhealth center for three days demonstrates thathe had probable cause to seize
her. Butthe Fourth Amendmentrequiresan ex ante, not an ex post, analysis. ); United States v. Green, 560 F .3d
853, 857 (
Cir. 2009) (rejectingex postanalysis regardingwhether a particulardressercould completely conceal
a person)
217 (U ) That is why we focus on the perspective of those who established the CDR program . As for “ whether an
extension of that authority would be constitutionalin lightof the facts and circumstancesknowntoday, Statement
of Ed Felten and Travis LeBlanc at 71, we do notbelievethat a statute enactedby Congress to reauthorize the CDR
program would be “ facially unreasonable, andhence unconstitutional, under the Fourth Amendment. The Court
hasmade clearthat “ claimsfor facial relief underthe Fourth Amendment” directattacks on the constitutionalityof
a statute, asopposed to the statute s application to a particularset of facts
unlikely to succeed when there is
substantialambiguity as to what conducta statute authorizes.” City of Los Angeles v. Patel, 135 S. Ct. 2443, 2450
( 2015). That is because, to succeed on such a facial challenge, a “ plaintiffmust establish that a law is
unconstitutionalin all of its applications.” Patel, 135 S. Ct. at 2451(emphasisadded , quotationmarks
41

TON

 TOP SECRET

(U ) Viewing the CDR program from the ex ante perspective of those who initiated it,
many factors weigh in favor of finding the program reasonable for constitutional purposes . To
obtain FISA court approval for each “ specific selection term that was the basis for CDR
collection , the government was required to demonstrate a “ reasonable , articulable suspicion ” that
The program was
the specific selection term was associated with international terrorism
implemented under FISA court oversight , minimization procedures mandated by Congress and
approved by the court, and internal oversight by NSA .219 Moreover , the USA Freedom Act ' s
CDR provision expressly limits collection to information comparable to a pen register dialing
and routing information , a category of information about which , the Supreme Court held in
Smith , callers have “ no legitimate expectation of privacy .
And the program was inarguably
run in furtherance of the paramount interest in investigating possible threats to national
security .
That interest, the Supreme Court has held , “ is an urgent objective of the highest
order.
( U ) On the other hand, the CDR program reached outto the second hop, capturing
metadataaboutcalls in which neither of the participantswas the object ofthe“ reasonable,
articulable suspicion” reviewedby the court. And given the inherentmath ofmulti- hop
collection, the number ofrecordscollected at each succeedinghop would foreseeably
exponentiallylarger than those at the precedinghop.

The resultwould be that the largest

omitted). Where a Fourth Amendmentchallenge to a statute necessarily rises or falls on the basis of facts yet
unknown (such as a program ' s costs and efficacy), such a challengecannotbebrought facially. ”
218 (U ) 50 U . S. C. 1861b) (2 ); cf. In re Certified Question of Law, 858 F.
at 607 –08 ( referring, in Fourth
Amendmentreasonablenessanalysis, to the investigativeimportance of havingaccess to the dialing information
providedby post- cut-through digits ) . By contrast, in the Section 702 program held reasonable inMohamud,
targetingdecisionswere madepursuantto court- approved proceduresbut notindividually reviewedby the FISA
court. 843 F. at 443– 44. The court in Mohamudalso held, in the alternative, that the 702 collection in that case
did not require a warrantbecause it was targeted at a non- U . S . person with no Fourth Amendmentright.
Mohamud, 843 F.
at 439 (citing United States v. Verdugo-Urquidez, 494 U . S . 259 (1990))) .
219 (U ) See NSA USA Freedom Act TransparencyReportat 13 (“ Analysts will require appropriate and adequate
training, andmusthave both an internationalterrorism mission purpose and a need to know in order to be provided
access to the CDRsobtained through the USA Freedom Act. Analyst queries of recordsacquired under the USA
Freedom Act willbe intended to determineor identify personsof foreign intelligenceinterestwho maybeengaged
in internationalterrorism . All queries will be subjectto post- query auditing. The USA Freedom Act data willbe
used to produce intelligencereports, followingreportingand minimization procedures. .
. In re Certified
Question of Law, 858 F .3d at 608 ( relying, to assess Fourth Amendmentreasonableness, on the fact that FISA pen
register interceptionsare conducted only with the approvaland under the supervisionofa neutralmagistrate, in this
case a FISC judge” and that “ minimizationprocedures are available, and are regularlyemployed ).
220 (U ) Smith, 442 U . S . at 742; see 50 U . S .C .

1861
(k )( 3).

221(U ) In re Certified Question of Law , 858 F . 3d at 607
222 (U ) Holder v. HumanitarianLaw Project, 561 U .S. 1, 28 (2010); see also Haig . Agee, 453 U .S . 280, 307 ( 1981)
(“no governmentalinterest ismore compelling” than nationalsecurity .
223 (U ) See RemarksofMichaelBahar at Privacy and Civil LibertiesOversightBoard PublicForum on the USA
Freedom Act (May 31, 2019) (“ Butof course, the morehops, the greaterthe exponentialsweep of records. .

42

TOP SECRET

 proportion of communicants in the records collected — the second-hop contacts — would be
people who were neither the objects of reasonable, articulable suspicion ” themselves nor in
direct contact with the object of that suspicion

(U ) In weighing these factors , Fourth Amendment reasonableness analysis resists clear
rules or rigid formulas
It is informative , however , that in the past few years, both the Foreign
Intelligence Surveillance Court of Review and the United States Court of Appeals for the Ninth
Circuit have upheld as reasonable under the Fourth Amendment the incidental (but foreseeable )
collection of content in the context of FISA surveillance .
Notably , the Foreign Intelligence
Surveillance Court of Review s analysis also presumed that collecting a second tranche of
“ dialing information ,” beyond the first number dialed , raised no constitutional problem 227
While the collection of a second hop here is intentional rather than incidental, the privacy interest
attached to the category of information collected — telephone dialing and routing information
is , under settled Supreme Court precedent, qualitatively weaker , and the program was
surrounded by comparable in some respects, stronger ) oversight safeguards .228
(U ) Becausethe Board concludesthatthe program was constitutionalunder the Smith
lineof precedentdescribed above, we need not resolve whether itseparately would be
constitutionalundera reasonablenessanalysis. This accords
the Board' s 2014 report229 and
reflects the Board' s disinclination to offer constitutionalopinionswhere unnecessary; it is not a
view of themerits.
224 (U ) Our report also describes various facts aboutthe operation of the program in practice.
225 (U ) See In reDirectives Pursuant to Section 105B of Foreign Intelligence Surveillance Act, 551 F.3d 1004 ,
1012– 13 (FISA Ct. of Rev . 2008) (rigid test would be at odds with the totality of the circumstances test that must
guide an analysis in the precincts patrolled by the Fourth Amendment ).
226 (U ) In re Certified Question ofLaw , 858 F . at610 ; Mohamud, 843 F . at 441. In In re Certified Question of
Law , the content at issue consisted of certain “ additional digits” dialed after a telephone call is connected, which
“ do not constitute dialing information, but instead constitute a form of content information.” 858 F . 3d at 594 .
These could include a password , a personal identification number, . . bank account number,
credit card
number,” “ or a Social Security number.” In re Certified Question of Law , 858 F .3d at 594. By contrast, the USA
Freedom Act s
provision authorized the governmentto receive only limited categories of non-content
information:
- identifying information . . .
telephone calling card number, or the time or duration of a
call.” 50 U . S. C . 1861(k )( 3) (A ).
227 (U ) See In re Certified Question of Law, 858 F . 3d at 594 & n.2.
228 (U ) For example, under Section 702, targeting decisions are made by agencies themselves, subject to court
approved procedures. Under the USA Freedom Act CDR provision , the FISA courtmust approve each specific
selection term used as the basis for collection . See Mohamud, 843 F .3d at 443 44.
229 (U ) The Board s 2014 report on thebulk CDR report limited its constitutional analysis to the Smith -based
rationale . See 2014 Board Report at 126 .
230 (U ) To the extentour colleagues mean to suggestthe program is vulnerable on First Amendment grounds, see
Statement of Ed Felten and Travis LeBlanc at 76 -77, we disagree. Assuming an intelligence program consistent
with the Fourth Amendmentcould violate the First Amendment, cf. Am . Civil Liberties Union v. Clapper, 959
F. Supp. 2d 724, 753 (S . D .N . Y . 2013), aff
part, vacated in part, remanded , 785 F.3d 787 (2d Cir. 2015 )
43

TOP SECRET

 TOP SECRET

(U ) As explained elsewhere in this Report, we share our colleagues ' judgment that the
for the program s
CDR program s value did not appear to outweigh its “ risks and cost.”
Smith remains good law ” and that “ the
constitutionality , we agree with our colleagues
government had a reasonable legal argument” that the CDR program “was consistent with the
Fourth Amendment at its inception .
But wepart ways with our colleagues judgments on the
role that the Board can and should play in providing clear guidance to lawmakers and
policymakers who seek to respect constitutional limits in designing intelligence programs— and
who may be considering whether to reauthorize the two -hop provision of the USA Freedom Act.
Weworry that a conclusion that the entirety of Fourth Amendment doctrine is up for grabs may
cast a cloud of legal uncertainty over the now -shuttered CDR program , without providing a clear
theory of constitutional infirmity . Although it would intimate (while not concluding outright)
that the program may have been unconstitutional , itwould do so without offering the lawmakers
who passed it and the government employees who implemented it a concrete explanation for
why they may have violated the law , despite their sincere beliefs to the contrary . Our
constitutional analysis has therefore sought to chart a reasonable middle ground of providing
predictability where we see it in the doctrine , while not resolving questions unnecessary to a
bottom - line constitutional analysis. We believe that this approach is the way that the Board may
most effectively serve Congress , the Executive Branch, and the public . It is rare that a novel
program does not diverge from prior cases, such as, here, Smith and its progeny ; the question is
how those distinctions affect the legal analysis . That is the question we have sought to address .
And on that point, our colleagues statement is largely silent. 233 Their statement posits, for
example , that Carpenter and Riley “ carry more significance in assessing the constitutionality of
the CDR program . . . than themajority affords them ,
yet does not explain what that
significance might be.
(U ) More concretely, ourcolleagues' statementdoes notmake clearhow to apply Smith
and subsequent cases to an analysis of the CDR program or othermetadata-collection authorities.
(finding well-supported ” the government s argument that “ surveillance consistent with Fourth Amendment
protections . . . does not violate First Amendment rights ” ), the collection of CDRs under the USA Freedom Act is
not such a program . “ [ A ]ny alleged chilling effect here arises from [ a person' s ] speculative fear that the
Government will review telephony metadata related to their telephone calls .” ACLU v. Clapper , 959 F . Supp . 2d
at 754. Such a fear was found insufficient to establish a First Amendment violation in the context of the bulk
telephony program , ACLU v . Clapper, 959 F . Supp . 2d at 754; cf. 2014 Board Report at 136 ; 2014 Board Report at
210 (statement of Rachel Brand) (“ I agree with the Board ' s ultimate conclusion that the program is constitutional
under existing Supreme Court caselaw .” , and by extension would be insufficient here as well.
231 (U ) Statement of Ed Felten and Travis LeBlanc at 68.
232 ( U ) Statement of Ed Felten and Travis LeBlanc at 74.
233 (U ) Statement of Ed Felten and Travis LeBlanc at 73- 75.
234 (U ) Statement of Ed Felten and Travis LeBlanc at 75.

44

 SECRET

It questions whether the CDR program is “ similar enough ” to Smith for that case to control,
citing facts about themost recent incarnation of the CDR program . 235 Specifically , it notes that,
in Smith , “ the police collected the numbers the defendant dialed . . .
did not collect
information about the duration of the defendant s calls or whether the calls were completed ” ;
that, in Smith , the police did not collect information about incoming calls to the defendant ' s
telephone line” ; and that “ Smith involved a short duration ofuse of a pen register (no more than
2 days ) and the dialing information of just one person ." 236

( U ) The apparent implication of reciting these differences is that Smith should be strictly
limited to those types of dialing information collected by the relatively primitive pen register
available in the late 1960s. But if that is right, the USA Freedom Act CDR authority would be
and the Stored Communications
just one casualty among many: the Pen Register Statute
Act, 238 which are used every day in criminal cases , would be similarly vulnerable . So would the
FISA business records provision , which allows the government to obtain non -content records
based on reasonable , articulable suspicion rather than a probable -cause warrant. 239 Accepting
the statement s narrow view of Smith would destabilize criminal and national- security
investigations across the United States.

( U ) Our colleagues note the potential that CDRs might allow for information about a
user s location in a way that would undermine Smith s applicability and bring the program “ into
an intermediate area between Smith and Carpenter . 240 Yet — and as the prior Board pointed out
in discussing thebulk telephony program it found constitutional telephony metadata will often
provide general insights into location . For example , area codes and telephone prefixes offer
some indicia of location . The possibility our colleagues raise would not appear to be
categorically distinct from these well-understood and expected indicia . For example , the mere
fact that a subscriber of company A roamsinto company B s network would not trigger the
creation of a CDR ; rather, the subscriber would have to place or receive a call. And even then ,
doing so would indicate only that they were in a company B coverage area , notwhich area .
235 (U ) Statementof Ed Felten and Travis LeBlanc at 74 .
236 (U Statementof Ed Felten and Travis LeBlanc at 73.
237 (U ) The Pen Register Statute authorizesthe collection ofboth numbers dialed and incoming calls for a duration
of60 days , with the possibility of further 60-day extensions. 18 U .S . C . 3123 (c ); see also 3127( 3) – (4 ) ( pen
register” obtains “ dialing, routing, addressing, or signaling information” ; “ trap and trace device” “ capturesthe
incoming electronic or other impulseswhich identify the originating number or other dialing, routing, addressing,
and signalinginformation reasonably likely to identify the source ofa wire or electronic communication”).
238 (U ) 18 U .S .C . 2073( c) ) (court order to obtain non-contentinformation aboutsubscribers and “ electronic
communication service or remote computing service” to issue upon a showing of
and articulable facts
showingthat there are reasonable grounds to believe that the contents of a wire or electronic communication, or the
recordsor other information sought, are relevantandmaterialto an ongoing criminal investigation”) .
239 (U ) 50 U .S. C .

.

240 (U ) Statementof Ed Felten and Travis LeBlanc at 75.

45

TOP SECRET

 TUI

Roaming, then , would not appear to provide more specific location information than was
understood and accepted at the time of Smith or, for that matter, more specific location
information than is collected under any other authority that allows the government to receive
telephony metadata . Perhaps for that reason , the Board is unaware of any information to support
the suggestion that NSA actually used the CDRs in the manner suggested by our colleagues .
Now , perhaps technology will change and available location information will becomemore
exact. But the program was suspended . The information available to the government at the time
of its operation simply is not the “ near perfect surveillance ” created
the type of location
information discussed in Carpenter

(U ) Reasonable people can, of course , disagree in good faith about the legality of a
national security program . Yet weworry when Members of the Board cast doubt about the
constitutionality of a program (one that operated for years and collected data relating to millions
of Americans) without explaining where lawmakers and policymakers may have erred in their
efforts to follow the law or what they can do differently in the future to place programs on
surer legal footing

B.

( U ) Statutory Analysis

(U ) In reviewingthe operation of the USA Freedom Act CDR program , from its
incarnation untilits suspension in 2019, the Board considered whether the implementation of the
program comported with the text of the statute. The Board concluded that the program was
statutorily authorized . Moreover, the Board found no abuse of the program ; nor did it find any
instance in which government officials intentionally sought records they knew were statutorily
prohibited. As noted Part II( B ) of this report, the program did not always function as
intended: during itslifetime, a series ofcompliance incidents and data- integrity concerns arose.
These compliance incidents raise technical questions abouthow to interpret the USA Freedom
Act ' s authorities in light of complicated and continually evolving telephony infrastructure.
Importantly, in response to each compliance incidentthat raised questions about the scope of
permitted collection under the statute , NSA chose not to retain or collect data, even where a
readingof the statutory textmighthave justified it .

241( U ) Carpenter, 138 S. Ct. at 2210 .
242 (U ) Although our Board s legal advice is not binding, see supra note 173, our views may have persuasive effect.
See , e.g ., Statementof Sen . Leahy, Cong. Rec. S . 3426 ; Statement of Sen . Leahy, Cong. Rec. S. 3339; Statementof
Sen . Paul, Cong. Rec. S . 3335 (all citing the Board ' s Section 215 report) ; Remarksby the President on Review of
Signals Intelligence ( Jan . 17, 2014) ( citing consultations with the Board in the President' s evaluation ofpotential
intelligence reforms). We should move cautiously and provide clear explanations of constitutional infirmity when
we intimate or concludeoutrightthat intelligence programsmay have run afoulof the law .

46

 TOP

1.

( U ) The USA Freedom Act CDR Program was Statutorily
Authorized

( U ) Beginningin 2006, the FISA court accepted the government s argument that the
then -existing version of FISA' s business-records provision, known as Section 215 , permitted
bulk collection of CDRs.243 Once thebulk CDR program was revealed to the public, that
interpretation became subject to wider scrutiny. In 2014, the Board s report on Section 215
In May 2015 ,
concluded that NSA ' s bulk telephony program was notstatutorily authorized
the United States Court of Appeals for the Second Circuit reached the same conclusion 245 The
nextmonth , Congress enacted the USA Freedom Act.246

(U ) Unlike the previous bulk program , CDR collection underthe USA Freedom Act
rested unambiguously on statutory authority. By the time the Actwas being debated, the details
of the previousbulk program were known publicly. The program had been the subjectof
multiple press reports; the Presidenthad ordered a review of the program and instructed the
Department of Justice and Director of National Intelligence to make changes to its
implementation;247and the Board had released itspublic report. Duringthe debates themselves,
Congress heard from an array of governmentofficials and interest groups,many of whom
testified to the potential benefits and drawbacks of the program
(U ) The resulting statute took clear positions on the issues beingdebated : It authorized
and to
the government to compel with a court order the production of CDRs “ on a daily basis”
require the “ prompt production of a second set of [ CDRs ” based on information produced in

243 (U ) See 2014 Board Report at 9 ( In May 2006 , the FISC first granted an application by the government to
conduct the telephone records program under Section 215. The government 's application relied heavily on the
reasoning of a 2004 FISA court opinion and order approving the bulk collection of Internet metadata under a
different provision of FISA .” (citing Order, In re Application of the FederalBureau of Investigation for an Order
Requiring the Production of Tangible Things, No.BR 06 -05 (FISA Ct.May 24 , 2006 ); Opinion and Order, No.
PR / TT redacted ] (FISA Ct.)); Pub. L . 107 -56 , 115 Stat 272 , 287 (2001) (codified at 50 U .S. C . 1861(2001)) .
244 (U ) 2014 Board Report at 168 72 . Two of the five Board Members did not concur with this analysis. 2014
Report at 209– 18 .
245 (U ) American Civil Liberties Union v. Clapper, 785 F.3d 787 812 (2d Cir. 2015 ).
246 (U ) Pub. L . No. 114-23, 129 Stat. 268 (2015 ) (now codified at 50 U .S. C. 1861et seq. ).
247 (U ) See The White House, Presidential Memorandum
Our Global Signals Intelligence Collection
and Communications Technologies (Aug. 12 , 2013), https //obamawhitehouse .archives.gov/ the -press
office /2013 / 08 /12/ presidential-memorandum -reviewing-our -global- signals intelligence -collec .
248 (U ) See Strengthening Privacy Rights and National Security : Oversight of FISA Surveillance Programs, Hearing
before the Committee on the Judiciary , S .Hrg. 113 -334 (2013), https://www .intelligence .gov /ic -on -the-record
database /results / 38-hearing-of-the-senate -judiciary -committee -on -strengthening privacy -rights -and -national
security - oversight -of-fisa - foreign -intelligence -surveillance -act-surveillance -programs.
249 (U ) 50 U .S.C . 1861 )( )(F )(i).
47

TOP SECRET

 TOP SECRET

response to the initial specific selection term .

In short, it authorizedthe governmentto obtain

two hops of CDRs on an ongoing basis.

( U ) The statutory framework also imposed boundaries on CDR collection. A notable
limitation arose from the definition of “ call detail record, ” which the statute defined to exclude
the contents of a communication , the nameof a subscriber or customer, and cell-site location or
globalpositioning system information. 251 The Board is aware of no instance in which NSA
sought to circumvent this or any other statutory limitation related to the program
For
example, the Board isnot aware of any instance in which NSA sought or obtained global
positioning system information , cell- site location information, or the names of subscribers.

(U ) The technical architecture created by NSA to collect CDRs under the USA Freedom
Act was designed to comport with the statute.
As described in Part IIof this report, the system
contained a series of safeguards; many could bemapped directly to the statutory limitations,
while others were implemented for policy and compliance purposes. For example , when
receiving CDRs from providers , NSA s validation checks could detect if a provider had
accidentally sent additional data fields forbidden by the statute , such as subscriber name or cell
site location information . The system was technically unable to ingest information not contained
in the roughly fifty specified data fields.254
2

(U ) Compliance Incidents and Data Integrity Concerns

(U ) Beginning in 2016 , NSA identified a series of compliance and data -integrity
concerns. These can be divided into two categories: those that could arise in other areas of FISA
or equivalent law enforcement authorities, and those unique to the USA Freedom Act s statutory
framework .
(U ) The incidents involving information omitted from a 2016 application to the FISA
court,

certain NSA officers ' missing required training 256 and a provider ' s production of data

250 (U ) 50 U .S . C.

1861(c)(2 ) (F )(iv).

251 (U ) 50 U . S.C . 1861 k) (3 )(B ). The statute also required the government to conduct this collection under
approved minimization procedures , and to destroy information as required by those procedures . 50 U .S . C .
1861( )(2 )( A ), (F )(vii).
252 (U ) Other statutory requirements include that collection be based on a specific selection term , that the
government have approved minimization procedures, and that it destroys information as required by those
procedures. 50 U . S. C . 1861 )( )( A ), (F )(vii).
253 (U ) See Part II( A ) for an explanation of this architecture. See also NSA USA Freedom Act Transparency Report.
254 (U //FOUO ) See NSA FinalAnswers to PCLOB Questions (Nov. 22 , 2019).
(U ) Part II(B )(1) (a ).
256 (U ) Part II(B )(1)(c).
48

TOP

 TOP SECRET

beyond the end date of an order do notuniquely implicate CDRs or the fact that the USA
Freedom Act provides a two-hop collection authority. Based on our review of the facts, the
Board determined that these incidents were inadvertent, not willful, and thatNSA handled each
case seriously . Whether purposefulor incidental, such compliance incidents are not trivial. In
each instance, the government notified the FISA court and took steps to remediate the issue,
includingby deleting the affected data . 257
Other incidentsraise questionsthat are unique to the contours of theUSA
Freedom Act. Specifically, the incidentsinvolving

258

raise other statutory questions. In these incidents, NSA systemsautomatically
pushed requests to providersthatwere based on data received by NSA in response to a prior
request. These incidents presentintricate questions about the application of statutory terms to
the telephony infrastructure
the first set of CDR -specific incidents , NSA

system automatically

, rather than the ultimate
requested a second hop of data based off
recipientof a call.
, however, that the statute does notactually use the colloquialterm
hop.” Rather, the relevant text of the statute
a FISA court order issued under the Act to
" provide that the Government may require the prompt production of a second set of call detail
records using session-identifying information . . . identified by the specific selection term
as the basis for the first request for CDRs.
The question is thus whether

”

the type of information the governmentcan use to “ require the prompt production of a second set
constitutes
of call detail records” ; that is, in statutory terms, whether

257 (U

See Part II(B ) (1).

258 (U ) Part II(B )(2) (a).
259 (U ) Part II(B )(2)(b ).
260 (U ) Adding an additionallayer of complexity , the relevantprovision of the statute is addressed not to the agency,
but to the FISA court, specifying what an order issued under the CDR provision may and must contain . 50 U .S .C .
1861(c) (2)(F ) (“ An order under this subsection . . shall authorize the production on a daily basis of call detail
records . . . [shall ] provide that theGovernmentmay require the prompt production of a first set of call detail records
. . [shall provide that the Governmentmay require the prompt production of a second set of call detail records
using session -identifying information . . . identified by the specific selection term use to produce [ the first set of] call
detail records[. ” Those statutory termsare then incorporated by the court in the primary orders issued to the
agency and secondary orders issued to providers. The Board is not aware ofany FISA court opinions that address
the compliance incidents discussed here and their implications for compliance with the statute or relevant court
orders.
261 (U ) Re: Preliminary Notice of Compliance Incident Regarding Applications of the Federal Bureau of
Investigation for Orders Requiring the Production of Call DetailRecords, Various Docket Numbers (Nov. 22, 2017).
262 (U ) 50 U .S. C .

1861( )( )(F )(iv).

49

SECRET

 TOP SECRET

session-identifyinginformation . . . identifiedby the specific selection term used to produce
the first set of CDRs. 263

( U ) Although the statute does not define “ session -identifying information,” it does
provide a non- exclusive list of examples , specifying that “ calldetail record” means, among other
things, “ session- identifying information ( including an originating or terminating telephone
number, an IMSI number, or an IMEI number).
The word “ including” indicates that these
enumerated examples are illustrative, not exclusive. Accordingly , “ session -identifying
information” might include other things too. 265
( TS/
Butwhat other things ? Could
constitute session -identifying information” under the statute

used to connect a call

Furthermore , the statute
excludes from its examples of session -identifying information other information that is part of a
CDR , specifically “ a telephone calling card number, or the time or duration of a call.” On the
other hand, reading the phrase session- identifying” to encompass only information about the
endpoints one possible attribute of a session , but not the only one — would effectively
transform
session -identifying
user identifying” or “ endpoint- identifying.” Withoutmore
as
specific language in the statute , it remains uncertain whether the use of
session -identifying information ” would have been appropriate under the statute as the basis for
a request for a second set of CDRs. Moreover , this statutory question must be considered
alongside other textual features of the Act, including Congress ' s prohibition on the bulk
collection ofmetadata .

(

the end, however,the agency adopted a narrow readingofthe statute and

acted accordingly, ending the inadvertent

collection, deleting the

recordsit produced, and notifyingthe FISA court.266

263 ( U ) 50 U . S .C .

1861( c)(2)( F ) iv).

264 (U ) 50 U . S .C . 1861(k )(3). A FISA court opinion predating the USA Freedom Act similarly defined session
identifying information as including, “ e. g., originating and terminating telephone number, communications device
identifier , etc. ” FISC Order No. 2007 -10, at 2 (May 3, 2007).
265 (U ) See, e.g., Federal Land Bank of St. Paul v. Bismarck Lumber Co., 314 U . S . 95 , 100 (1941) ( T ]he term
including is not one of all-embracing definition , but connotes simply an illustrative application of the general
principle [. ” ).
266 (U ) Another intricacy here is that NSA was unaware of the underlying infirmities in the first-hop results when its
system automatically pushed them out to providers as the basis for second - hop collection . Whatever the legal
significance of this fact for purposes of assessing NSA ' s compliance with court orders , NSA took prompt corrective
action once it became aware of the problem . See Re: Supplemental Notice of Compliance IncidentRegarding

TOP SECRET

 TOP SECRET

(

second set of CDR - specific incidents, which involved
raises equally complex statutory questions. There ,
267 According
to its subsequent public press release, NSA stated that“ [ t ]hese irregularities . . . resulted in the
some CDRsthat NSA was not authorized to receive .
deleted the data
production . . .
that ithad acquired as a result of these issues, a fact the agency then disclosed publicly 269
(

The governmentsubsequentlyconsideredwhether it could, in fact, lawfully

request an additionalproduction of
CDR records based on

It concluded that it could obtain

are

reasoning that

identifying information because

in contact with

..

session

are included

270 Out
of an abundance of caution , however, the government also determined that NSA would not
forward any such information to its corporate repositories .

statutory terms, this incident raises subtle questions about the precise
terms of the statute. Could

that

be considered

could then beused to “ require the prompt production of a second setofcalldetail records” ?272
Could

because ofits role in routing the call?

The answers to these

questionsaremurky, and we are aware ofno on -pointprecedentinterpretingthe relevantterms.
, out of an abundance ofcaution , NSA did notforward

Applications of the FederalBureau of Investigation for Orders Requiringthe Production of Call DetailRecords
Various Docket Numbers (Mar. 19, 2018).
267 (U ) SupplementalNotice of Compliance IncidentRegardingMultiple Dockets In Re Applications of the Federal
Bureau of Investigation for Orders Requiringthe Production of Call DetailRecords(CDRs) Pursuantto Title V of
FISA, as amendedby the USA FREEDOM Act (Mar. 4 , 2019).
268 U ) NSAPressRelease, NSA Reports Data Deletion, PA-010- 18 (June 28 , 2018 ).
269 (U ) NSA PressRelease, NSA Reports Data Deletion, PA-010- 18 (June 28 , 2018 )
270 (U ) SupplementalNotice of Compliance IncidentRegardingMultipleDockets In Re Applications of the Federal
Bureau of Investigation for Orders Requiringthe Production of Call DetailRecords(CDRs) Pursuantto Title V of
FISA, as amendedby the USA FREEDOM Act (Mar. 4 2019).
271 (U ) SupplementalNotice of Compliance IncidentRegardingMultiple Dockets In Re Applicationsof the Federal
Bureau of Investigation for Orders Requiringthe ProductionofCall DetailRecords (CDRs) Pursuantto Title V of
FISA, as amendedby the USA FREEDOM Act (Mar. 4 2019).
272 (U ) 50 U . S .C .

1861k)(3 ) ( )( ) (F)(iv).

273 (U ) 50 U .S. C .

1861(k)(3 ).

TOP SECRET

 TOP SECRET

information derived from these providers into its long-term repositories— even though the
Departmentof Justice believedthat itcould . 274

(U ) Other data -integrity errors involved inaccurate data transmitted to NSA by providers .
In one such incident, a provider overwrote certain CDR fields with unrelated data . If the
inaccurate fields were used as the basis for subsequent collection , itwould raise the question
whether an automated request for second -hop results based on irrelevant data returned by a first
hop requestwould constitute a
based on “ session -identifying information . . identified
by the specific selection term used ” in the first -hop request.
responded by ( 1) notifying
the FISA court to describe each of these data - integrity errors and (2) deleting all of the affected
records.
(

the decision not to use the information obtained in incidents

as well as the subsequentdecision to suspend
the program , the governmentnever litigated to a conclusion complications surrounding these
issues. The agency s decisions to err on the side of caution meant that abstract questions about
involving

the application of statutory text to these esoteric compliance incidents were never resolved. At
bottom this analysis reveals an inherent indeterminacy in the statutory text, which incorporates
terms (mostnotably, session identifying information ” ) whose precise meaning is hinted at but
not conclusively defined. NSA resolved statutory uncertainties related to compliance incidents
by proceeding cautiously , opting to rely on narrow interpretations rather than more expansive
alternatives. Nevertheless, this experience counsels close attention to the range of potential
meanings of statutory termsrelating to technology by drafters, overseers, and agencies
themselves. This is particularly importantwhen an agency willbe tasked with applyingthese
terms to large-scale data collection involving complex technical infrastructure whose precise
contoursmay notyet be known. Ultimately, these incidents serve mostly to illustrate the
unanticipated complications that can arise even within a seemingly straightforward statutory
framework

274 (U ) Supplemental Notice of Compliance Incident Regarding Multiple Dockets In Re Applications of the Federal
Bureau of Investigation for Orders Requiring the Production of Call Detail Records (CDRs) Pursuant to Title V of
FISA , as amended by the USA FREEDOM Act (Mar. 4, 2019) .
275 (

50 U. S. C.

1861( ) (2 (F) ( iv).

TOP SECRET

 SECRET

V.

(U ) Analysis of Privacy Risks

(U ) The governmenthas suspended the USA Freedom Act CDR program and deleted the
CDRs itcollected under the program .
As the statutory sunset approaches, however, Congress
will consider whether to reauthorize or modify the CDR provision or allow it to expire . For that
reason, weconsider the privacy and civil liberties risks arising from the type and scale of two
hop CDR collection permitted by the statute and the role that various safeguards play in
mitigating those risks.
A
(U

( U ) Scale and Sensitivity of the Data Collected
Although this program did not collect CDRs in bulk , the volumeof records ingested

was large. According to the Office of the Director of NationalIntelligence s 2018 Statistical
Transparency Report, NSA received more than 151million CDRsin 2016 , 534 million in 2017 ,
and 434 million in 2018. 277 ( These include “ duplicate records” and “ numbers usedbybusiness
entities for marketing purposes.
) In 2018, NSA collected records pertaining to more than 19
million unique phone numbers. 279
(U ) It is criticalto remember that CDRscollected under the USA Freedom Act contained
limited information . Under the statute, CDRs cannot include a call' s content, the name, address ,
or financial information of a subscriber or customer, or cell-site or geolocation information.
Rather, acquired CDRs contained a set of fields including phone numbers, device- identifying
numbers (e .g ., IMEI), subscriber -identifyingnumbers (e. g ., IMSI) , a telephone calling card
number, various routing and status information, and call time and duration.

theory , the connections documented byCDRsmay reveal intimate information
about an individual' s personal life . They could indicate sensitivepersonal facts (such as a
specific health condition ), relationships, occupation, age, or sex . However, as noted in Part
II(A ) (2 ),
Moreover, Tool 1 the
metadata viewer that NSA analysts used to retrieve USA Freedom Act CDRs

had limited

276 (U ) See NationalSecurity Agency, NSA ReportsData Deletion, Statement No. PA-010 -18 (June 28, 2018 ),
https: // www .nsa. gov/news-features/ press -room / Article / 1618691/nsa-reports-data- deletion /; Letter from Daniel
Coats, Director of NationalIntelligence, to Senators Richard Burr, Lindsey Graham , Mark Warner, and Dianne
Feinstein (Aug. 14, 2019 ) (“ TheNationalSecurity Agency has suspended the call detail records program that uses
[ FISA Title V as amended by theUSA Freedom Act] and deleted the call detail records acquired under this
authority . ).
277 (U ) 2018 StatisticalTransparency Report at 30 .
278 (U ) 2018 Statistical Transparency Report at

– 30.

279 (U ) 2018 Statistical Transparency Report at 30 .
280 (U

50 U .S. C .

1861(k)(3 )(B ).

TOP

 TOP SECRET

mechanisms for analysts to annotate CDRs, and there was nomechanism
281

(U ) Researchers have concluded that phone numbers can be combined with public data to
reidentify individualswith trivial” effort, and that it appears feasible — with further
refinement—
draw Facebook- quality relationship inferences from telephonemetadata.
The
feasibility of doing so augments the potentialrisks andharmsassociated with unauthorized users
and malicious actors who, if they had access to records, could de-anonymize CDRs or infer
sensitive data about individuals in thatmanner. However, as noted below , the Board is aware of
no instance in which USA Freedom Act CDR data was accessed by unauthorized ormalicious
actors, and accordingly is aware of no instance in which this risk materialized during the life of
the program
B.

( U ) Privacy Risks Arising from

Two- Hop CDR Collection

(U ) Unlike legalprocesses that allow the collection ofone-hop CDRs (e. g ., grand jury
subpoenas), the USA Freedom Act authorizes the collection of a second hop. A two-hop
program on this scale raises various privacy risks. Some could arise in any program that
involves the large-scale collection of sensitive data . Distinctive features of two -hop collection,
however, could have unique effects on themakeup of the dataset exposed to those risks.

(U ) Specifically, privacy risks that arise from any large- scale collection of sensitive
datasets about Americans include the risk that authorized users could misuse their access to
view , steal, or leak sensitive data for personal, ideological, or other inappropriate ends; the risk
of theft or breach by unauthorized users ormaliciousoutsiders; or the possibility that future
shifts in applicable law , policy, or available technology could alter the balance between privacy
risks and programmaticbenefits.
Limits on retention, technological controls, and the agency' s
compliance culture play an importantrole in mitigatingthese risks, but cannot eliminate them .
While these risks are not specific to the USA Freedom Act CDR program , the exponential
increase in the scale of collection that results from adding a second hop expands significantly the
poolof data exposed to them .

281 ( U ) Of course, if an NSA analystwas using a particularCDR for example, to write an intelligence report— he
or shemay haveused information from that CDR to find other data lawfully in NSA' s possession. Togetherwith
the CDR, this could haverevealed additional information about the originatoror recipientof a call. Learningmore
aboutthe associates ofpeople suspected ofinvolvementin terrorism is, of course, one of the important purposes for
which NSA collects and analyzes this information in the first place.
282 (U ) JonathanMayer, Patrick Mutchler, & John C . Mitchell, Evaluatingthe privacy properties of telephone
metadata, 113PNAS 5536, 5538 (May 17, 2016 ), https //www .pnas.org/content/pnas/113/20 /5536 full.pdf.
283 (U ) For example, future statutory changes could expand the purposes for which NSA is permitted to use or share
the information. Technologicalchanges could
create unanticipatedrisks; improved analyticaltools might
allow , for example, the governmentto draw more sophisticated inferences from the data than is possible today.
54

TOP SECRET

 SECRET

(U ) Two distinctive features of two- hop collection affect the type of records exposed to
those risks. The first arises from the possibility of errors in first-hop results. In a two- hop
program errors in first-hop records, if not caught and corrected , could lead to the collection of a
large number of second-hop records that should nothavebeen collected. For example, if a
technical error caused a first-hop record to include an incorrect phone number as the call
recipient, all second-hop records associated with that number could be erroneously collected. In
a one-hop program , a human agent or analyst would identify relevant first-hop results to use as
the basis for seeking additional collection ; this potentially lessens (although does not eliminate
entirely) the risk of erroneous additional collection based on first hops.
( U ) The second distinctive feature of two-hop collection is that the government is likely
to receive farmore second-hop records, which include information about individuals who are
indirectly connected to the target, than first-hop records , which relate to the target and the
target ' s direct contacts. The result is that in a two-hop program , any privacy risks arising from
the collection disproportionately affect individuals with no direct connection to the
individualized suspicion on which the surveillance rests.

(U ) These two distinctive features of two-hop collection manifested themselves during
the life of the CDR program . At several points, incorrect first-hop results returned by providers
were automatically used as the basis for second-hop requests.284 (Once these incidentswere
discovered, NSA notified the FISA court and deleted the resulting data .) With respect to
volume, 14 orders produced more than 400 million records in 2018, and NSA has acknowledged
the exponential growth in the number of records that results from adding a second hop. 285
(U ) The Board is not aware of any instances in which the abuses described above as
potentially arising from large-scale data collection — breaches, leaks, theft, and so forth
materialized during the short life of the CDR program . The Board has no information suggesting
that CDRswere leaked , breached , ormisused by anyone within the agency . NSA implemented
technological and process controls, discussed below , to reduce the risk of loss or misuse of
CDRs.
C .

(U )

Program

Limits and Controls

( U ) The program operated subject to statutory limits, internal controls , and oversight,
both within NSA and outside the agency. By statute , NSA may only seek CDRs based on seed
The
numbers relevant to an authorized investigation to protect against international terrorism

284 (U ) See Part II (B ) (2 ).
285 (U ) 2018 Statistical Transparency Report at 28 – 30.
286 (U 50 U .S.C . 1861( )(2 )(C ). This collection limitation aligns with the data-minimization principle of the Fair
Information Practice Principles ( FIPPs), which states that “ organizations should only collect ( personal information ]

TOP

 SECRET

agency sminimization procedures, which were adopted by the Attorney General and approved
by the FISA court, limit when and for what purposeanalysts may access USA Freedom Act
CDR data

Specifically, NSA may only grantaccess to personnelwho are trained on the

proceduresand restrictions that govern the handling and dissemination of that data and who have
a need to know .
The procedures also prohibit NSA from retaining CDRs for more than five
years after they were delivered to NSA unless the relevant CDR contained information that
formed the basis for a foreign intelligence report.289
(U ) Internal policies and guidance impose further limits.290 Queries could only be
initiated when “ intended to determine or identify persons of foreign intelligence interest who
may be engaged in international terrorism ,” and were subject to audit.291 These limits and
controls played a role in mitigating the privacy risks posed by the program during its operation .

(U ) Likeother NSA activities, the USA Freedom Act CDR program was overseen by
various elements within NSA. The Board' s oversight, including demonstrationsof NSA s
compliance technology, indicates that the agency has made significant investments in internal
compliance and accountability processes. For instance, NSA hadmeasures in place to ensure
that only the rightpeople could see CDR program information on NSA s systemsand that those
people could use the information only for authorized purposes. Every query by an NSA analyst
is logged and later reviewed by a human auditor familiar with the analyst s mission, and NSA
has deployed technology to augmentthe capabilities of these human auditors. Software
developers seek to build minimization and compliance rules into the design of the user interfaces
that analysts use, reducing the need to rely on human recalland judgment to ensure

that is directly relevant and necessary to accomplish the specified purpose (s) ”
the collection . The White House ,
National Strategy for Trusted Identities in Cyberspace , Appendix A (Apr. 2011),
https://obamawhitehouse .archives .gov /sites /default /files /rss_ viewer /NSTICstrategy _ 041511.pdf.
287 (U ) The statute and minimization procedures limited the purposes for which data could be used . This speaks to
the FIPPs purpose -specification principle, which provides that entities should articulate the authority under which
personal information is collected and the purposes for which it is intended to be used. The White House , National
Strategy for Trusted Identities in Cyberspace , Appendix A (Apr. 2011).
288 (U ) NSA USA Freedom Act Transparency Report at 6 . These restrictions relate to the FIPPs principle of “ use
limitation ,” which provides that organizations should use personal data for the stated purposes and share it in ways
that are compatible with such purposes ,” and the principle of “ data quality ” , which states that steps should be taken
to ensure that personal data is accurate , relevant, timely , and complete .” The White House , National Strategy for
Trusted Identities in Cyberspace , Appendix A (Apr . 2011) .
289 (U ) NSA USA Freedom Act Transparency Report at 7 .
290 (U ) See Part II( A ) ( 2 ).
291 ( U ) NSA USA Freedom Act Transparency Report at 13 . Query limits reinforce the FIPPs principle of use
limitation . NSA s training, compliance , and auditing practices address the FIPPs principle of auditing. See The
White House , National Strategy for Trusted Identities in Cyberspace , Appendix A ( Apr. 2011) .

56

SECRET

 compliance

Automated checks now ensure that analysts whose training has lapsed lose

access to systems for which the training is required.

D .

(U

Transparency and Public Understanding

( U ) Since the unauthorized disclosures by an NSA contractor in 2013, the intelligence
community has taken important steps to enhance transparency , oversight, and compliance . Some
of these stepswere initiated by NSA ; others were mandated by Congress in the USA Freedom
Act and other laws . 293

( U ) As noted in Part I of the report, the CDR program was based on a publicly debated
statute that clearly authorized the government to obtain records out to two hops from the target
number on an ongoing basis
(U ) The plain text of the USA Freedom Act enabled Members of Congress , the media,
outside experts and advocacy groups , and ordinary Americans to anticipate the broad attributes
of the CDR collection that it authorized , even if specific operational details would remain
classified

(U ) Further, the CDR program was subjectto ongoing oversight from all three branches
of government. Outside NSA, these included the FISA court, congressionalcommittees, and the
Privacy and CivilLiberties Oversight Board. NSA and the Department of Justice notified the
FISA court, Congress, and the Board of compliance incidents and data -integrity issues as they
were discovered .
also issued several public disclosures aboutthese issues over the life
of the program and published a detailed, unclassified description of the program
architecture shortly after itbegan.

technical

(U ) The government also provided quantitative data about itsuse of the CDR authority
and the number of records NSA received . Each year, beginning in 2014 , ODNIhasreleased an
Annual Statistical Transparency Report that provides detailed information aboutthe volume of
collection and the number of targets surveilled under various authorities, including the USA

292 (U ) Cf. NSA/CSS Inspector General, Declassified Reporton the Special Study of NSA Controls to Comply with
the FISA Amendments Act $ 704 and 705(b ) Targeting and Minimization Procedures, ST- 15-0005, at 7 – 8 Jan . 7 ,
2015 ) (citing relianceon “manualchecks that analysts perform before queryingdata” as factor contributing to non
compliant queries).
293 (U ) See, e. g., USA Freedom Act, Pub. L No. 114-123, 129 Stat. 268,
294 (U ) 50 U . S .C .

401–02, 502, 601–05 (June 2 , 2015).

1861(b)(2 )(C ), ( )( )( F); see also H . R . Rep. 114- 109, at 17 (May 8 , 2015 ).

295 (U ) Externaloversight was relevantto several principles: itenhanced the program ’ s transparency, helped to
ensure data quality , and made provided accountability. See The White House, NationalStrategy for Trusted
Identities in Cyberspace, Appendix A (Apr. 2011).
296 (U ) NSA USA Freedom Act Transparency Report.
57

TOP

 Freedom Act. The data in these reports conveyed the CDR program s scale, both in absolute
terms and relative to the numberoforders issuedby the FISA court.297 As noted above, for
example, NSA collected 434,238, 543 recordsbased on 14 court orders in 2018. Thatreport also
disclosed for the firsttimethe number of uniquephone numberscontained within those records:
morethan 19 million
The reportshave provided progressively greater detail about how NSA
and other agencies conduct these counts andwhythey opt for certain approachesover others.
The significanteffort thatNSA, the Office of the Directorof NationalIntelligence, and other
agencies invest in compiling and declassifyingthis information is an importantinvestmentin
public understandingof these activities.

297 (U ) These reports also discuss the number of queries that NSA analysts ran against the agency ' s holdings of USA
Freedom Act CDRs. These counts were likely over inclusive , however , for reasons discussed elsewhere in this
report. See 2018 Statistical Transparency Report at31; see also Part III( B ) .
298 ( U ) 2018 Statistical Transparency Report at 30 .
58

TOPSECRET

 TOP SECRET

VI. (U ) Statement of Chairman Adam Klein
(U ) When the Board began to review NSA s collection of call detail records under the
USA Freedom Act, the program was active . By the end of our review , NSA had publicly
announced that it had suspended the program and decommissioned the equipment used to gather
CDRs from the providers.
(U ) This project thus differs from the Board ' s past reports in

important respect The

program it describes is no longer operational. Nonetheless , the short life of CDR collection
under theUSA Freedom Act offers lessons for crafting and implementing future surveillance
authorities.

(U ) I join the Board sreport in full and am grateful to ourstaff for their hard work in
preparing it. Our work has profited immeasurably from their diligence, expertise , and judgment .
(U ) Balancing Security and Liberty
(U ) As Congress recognized in the law that created our Board, “ [t he choice between
security and liberty is a false choice . . . . Our history has shown us that insecurity threatens
liberty . Yet, if our liberties are curtailed , we lose the values that we are struggling to defend.
The USA Freedom Act, like other post-9 /11legislation, reflects a delicate balancing aimed at
preserving those two indispensable goods.

(U ) Counterterrorism programsthat entaillarge-scale collection and retention of sensitive
information about Americans should be initiated and preserved only if the value they provide
outweighs the costs, including risksto privacy and civil liberties, and there isno better way to
obtain the same value . Even where an authority provides great value, policymakers should take
all reasonable steps to mitigate privacy and civil liberties risks. 300
( U ) This program did not involve bulk collection, but it took in largenumbers of records.
During 2017 and 2018, NSA collected nearly 1billion calldetailrecords underthe USA

299 (U ) 42 U . S. C.
b) (3 ) ( quotingNational Commission on Terrorist Attacks upon the United States, The
9/ 11 Commission Report, 395 ( 2004) ).
300 (U See The 9/11Commission Report at 394– 95 (“ The burden of proof for retaining a particular governmental
power should be on the executive, to explain (a) that the power actually materially enhances security , and (b ) that
there is adequate supervision of the executive' s use of the powers to ensure protection of civil liberties. If the power
is granted, there must be adequate guidelines and oversight to properly confine its use. .

59

TOP SECRET

 TOP SECRET

Freedom Act. 301 ( This includes an unknownnumber of duplicates.302) The scale of the
collection is also proportionally large relative to the number of seed numbers associated with
international terrorism . Lastyear, the government obtained 14 FISA court orders based on a
“ reasonable articulable suspicion” that a specific selection term was associated with international
terrorism .
Those 14 orders enabled the governmentto collect 434 million records pertaining
to more than 19 million unique phonenumbers.
Given the exponentialmath of two-hop
collection, it is reasonable to assume thatmost of these were second-hop contacts— callers two
degrees of separation removed from the initialsuspicious actor. Our report describes the privacy
considerations that arise from domestic collection and storage of call detail recordson this scale.
(U ) On the other side of the balance is the operational need for this collection.
Internationalterrorism remains a dangerous threat. Al Qaeda, ISIS affiliates, and other
international terrorist groups continue to menace the United States. Terrorists have capitalized
on modern communications technologies, including socialmedia and encrypted messaging, to
identify , radicalize, and even direct from afar potential attackers in the US homeland .

(U ) Given terrorist groups reliance on digital communications, electronic surveillance
will continue to play an indispensable role in protecting the nation from terrorism . This includes
collection and analysis of communications metadata . The insightful discussion by Board
Members Nitze and Bamzai illustrates how metadata analysis , includingmulti-hop contact
chaining, can “ add significant intelligence value to national security investigations.
Indeed,
metadata analysis maybecome even more important for counterterrorism as content is
increasingly protected by strong, end-to -end encryption .
(U ) The question is what role USA Freedom ActCDRs can play in that defense. The
upcoming sunset of the Act s
authority arrives against the backdrop of terrorist groups
widely documented shift away from telephony to newer, more secure modes of communication.
Researchers have observed that “ [a ] fter the Snowden leaks revealed how valuable terrorists
unencrypted communicationswere for US counterterrorism efforts, terrorist groups swiftly
301 (U Office the Director of NationalIntelligence, StatisticalTransparencyReportRegarding Use of National
Security Authorities, Calendar Year 2017, at 35 (Apr. 2018) (534. 3 million records); 2018 StatisticalTransparency
Report at 30 (434.2 million records).
302 (U ) See Office ofthe Directorof National Intelligence, StatisticalTransparency ReportRegardingUse of
NationalSecurity Authorities Calendar Year 2017, at 35 (Apr. 2018) (“ [ T ]he number reported above . . includes
duplicate records. .
303 (U ) 2018 StatisticalTransparencyReportat 30 .
304 (U ) 2018 StatisticalTransparencyReportat 30 .
305 (U ) See, e. g. , BipartisanPolicy Center, DigitalCounterterrorism : Fighting Jihadists Online, 5 , 15 (May 2018).
306 (U ) Statementof Aditya Bamzaiand Jane Nitze, Part I.
60

TOP SECRET

 TOP SECRET

tightened up their operational security 307 Their shift to IP -based communications, including
socialmedia and encrypted chat apps, has notmade telephony irrelevantto counterterrorism
people still use phones — but, as academic researchers have noted, it has become less central.308
“We are dealing with a challenge right now : New technologies that enable encryption and allow
them to be fairly confident that they are communicating in a way that can t be detected ” one US
official told the news organization ProPublica in 2016 . 309 They know how to communicate
securely .” 310
( U ) This shift suggests that focusing on the full spectrum of digital communications
technologies, rather than voice telephony in isolation, would likely yield greatest
counterterrorism value going forward. Whether the complexities that led to compliance and
data- integrity problemsduring the life of this program are likely to persist into the future
depends on predictive judgments aboutthe future oftelephony networks and company billing
practices, as well as the possibility that the governmentcould develop technicalapproaches to
mitigate these complexities. The technical experts at NSA and outsidetechnologists familiar
with the intricacies of telephony networkswould bebest positioned to render those predictive
judgments . Given the persistence of terrorist threats to the homeland, Congressmay wish to ask
agencies whether they need alternative tools to meet the operationalneed that the USA Freedom
Act and the prior bulk CDR program were designed to address.
(U ) Itis also important to note that USA Freedom Act CDRswere only one of several
avenues by which NSA and FBIcan obtain and analyzecommunicationsmetadata for
counterterrorism purposes. NSA collects phonemetadata and electronic communications
metadata as part of its globalsignals-intelligencemission carried out under ExecutiveOrder
12333. This metadata, stored in an internal repository, can be used to protect the homeland from
internationalterrorism : NSA' s Supplemental Procedures Governing CommunicationsMetadata
Analysis allow “ identifiers associated with both non-US persons and US persons to be used to
query phonemetadata and electronic communicationsmetadata that NSA obtains through other
lawfulcollection methods." 311 NSA can also collect communicationsmetadata under Section

307 (U ) Bipartisan Policy Center, Digital Counterterrorism : Fighting Jihadists Online, 15 (May 2018 ).
308 (U ) Susan Landau and Asaf Lubin, Explaining the Anomalies, Examining the Value : Should the USA Freedom
Act sMetadata Program be Extended ?, at 62 (2019).
309 (U ) Sebastian Rotella, ISIS via WhatsApp: “Blow Yourself Up,

Lion, ProPublica (July 11, 2016 ).

310 (U ) Sebastian Rotella, ISIS via WhatsApp: “ Blow Yourself Up,
311 (U ) Part II(A )(1).

Lion, ” ProPublica (July 11, 2016).

6

TOP

 702 of FISA, and FISC -approved procedures permit NSA to run US - person queries of 702 data if
those queries are “ reasonably likely to retrieve foreign intelligence information . 312

(U ) FBI receives a small subset of NSA s 702 collection and can query that data in search
of foreign -intelligence information or evidence of a crime. Ordinary FISA business records
requests can be used to obtain onehop of CDRsandmetadata from other modes of digital
communication . Given that terrorism -related conduct is often a crime, FBIcan also use grand
jury subpoenas, which are less burdensome to obtain than FISA orders, to obtain first- hop
in terrorism cases.
(U ) NSA is well- positioned to assess which of its various capabilities providethe greatest
operational
. It chose to suspend this program “ after balancingthe program s relative
intelligence value , associated costs, and compliance and data integrity concerns.
Facts
detailed earlier in this Reportsupport that conclusion, even independent of the privacy concerns
raised by domestic collection on this scale. The low volumeof intelligence reportingproduced
by the program

15 reports over several years — is particularly informative, especially when

coupled with NSA s assessmentthat it would expect a program ofthis scale and expense to
generate hundreds or thousands
(U ) That candor is creditable. Itis not easy for any governmentagency to acknowledge
that a program was not successful, despite the resources and effort itconsumed. Agencies
should beencouraged to periodically reassess their collection activities and terminate them when
they outlive their usefulness or when their costs outweigh their value, with privacy and civil
liberties considerationsforming an integral part of that analysis. Scrutiny of intelligence
programs is an essential corrective in our democratic system . However, outside observers should
be carefulto distinguish between abuse or overreach

neither of which we found here — and

programs that, despite good faith efforts, yield less than anticipated. Intelligence is a complex
enterprise in which uncertainty is pervasive. It isnot always clear in advance whether or nota
program will yield benefits commensurate with its costs and risks. If agencies feel compelled to
defend rather than abandon unproductive programs, the principalcasualty will be the privacy of
those Americanswhose data continues to be collected.

312 (U ) Declassified 2018 NSA Querying Procedures for Section 702,

.A.

313 (U ) Christopher Wray, Director, FederalBureau of Investigation, Speech on Section 702 at the Heritage
Foundation (Oct. 13, 2017) (FBIreceives only on targets for which ithas “ full national security investigations,”
amounting to about 4. 3 percentofthe targets that are under NSA collection[. ” ); Declassified 2018 FBIQuerying
Procedures for Section 702,
. . 1.
314 (U ) Unclassified Letter from Director of NationalIntelligence Dan Coats to Senators Richard Burr, Lindsey
Graham , Mark Warner, and DianneFeinstein , at 1 ( Aug. 14 , 2019 ).
315 (U ) See Part III B)
62

TOP SECRET

 TOP SECRET

II.

(U ) Root Causes of the Compliance Incidents and Data
Integrity Challenges

(U ) The Board reviewed in detail each compliance incidentor data-integrity problem
reported during the program ’s life. Wefound no malfeasance or intentional abuse by NSA
personnelin implementing this program . Nor did we find any instance in which the agency
intentionally sought to obtain information that itmay not havebeen authorized to receive. NSA
personnelworked diligently to diagnose, report, and repair the problems encountered during the
program ' s operation and to delete erroneously provided information once it was discovered .
(U ) The compliance incidents arose, with limited exception,
from issues that were
latent in the recordsNSA received from the providers. Phone companies ' billing systems are
understandably designed to meet their own business needs. By contrast, NSA' s mission of
extracting reliable intelligence from these CDRs while complying with statutory restrictions,
court orders, and other legal obligations required a high level of precision and certainty about the
attributes of the data.

(U ) While wefound no intentional attempts to collectmoredata than authorized
unintentionalover- collection, triggered by anomalies in the first-hop data returned by providers,
proved a recurrent problem . The program involved a complex, machine- to -machinetechnical
architecture, with limitedhuman intervention once initial, court- approved selection termsentered
the system . One side effect was that errors in the data could “ cascade[] across large numbers of
records, with lagginghuman awareness.
In other words, the system , by design, automatically
-hop
recordsbeforea
human
could evaluate the first-hop results. With ordinary
pulled in second
requests for onehop of CDRs, by contrast, a human FBIagentor analyst would review the initial
results. Before using any first-hop results to seek additional, second-hop records, that agent or
analystwould work to distinguish meaningfulconnectionsfrom irrelevantor erroneousdata ,
includingby using information acquired under other legalauthorities.
(U ) By all accounts, NSA technical and analytical personnel demonstrated diligence and
considerable ingenuity in uncovering, diagnosing, and working to repair each problem as it
arose. NSA also built checks into the system in an attempt to prevent collection errors before
The fact that
they occurred , and updated those checks as new problemswere discovered .
irregularities continued despite these exertions reflects the unique technical and compliance
challenges that attended this program .

316 (U ) See Part II( B )
317 (U ) Julian Sanchez, Senior Fellow , Cato Institute,Remarks at Privacy and Civil LibertiesOversight Board Public
Forum on the USA Freedom Act (May 31, 2019).
318 (U ) See Part II( A ).

 SECRET

(U ) The lesson here is not that Congress should prescribe the precise technical
mechanisms by which surveillance authoritiesmay be implemented, or that automated, iterative
mechanismswill never beappropriate. To the contrary : In some cases, theymay be the only
choice, particularly as the expanding volume of data makes constant human oversight of every
technical process less feasible . What s more, automated mechanismsmay bemoreprivacy
protective in some respects, by keeping human eyes off of the data and removing human bias and
temptation as a point of failure.

(U ) Thepoint, rather, is that a program may present qualitatively different implications
for privacy, civilliberties, and compliance if implemented usingan automated ,machine-to
machine architecture with limited human intervention,than if it relies on human-to -human
fulfillment of one-off requests. The remedy is not prescriptive technical specifications,but to
remain aware ofthe potentialimplications of program architecture as outsidebodies conduct
oversightand the agency itself structures its compliance and auditmechanisms.
III.

(U ) The Role of Statutes in Regulating Domestic Surveillance

( U ) I agreewith much of the insightful statement penned by Board Members Nitzeand
Bamzai. I take a somewhatmore sanguine view , however, of two topics they address: the ability
of Congress to constructively regulate in the area of domestic surveillance, and the utility of
specifyingparticular technologies in statutory text.

(U ) Since 1978 Congresshas created a comprehensive statutory architecture to govern
domestic surveillance for national-security purposes. That system , which began with FISA and
which Congress has continued to expand and diversify since then,319 has helped protectprivacy
and civil liberties. But it hasalso been good for theagencies themselves. Codification places
domestic surveillancepracticeson a publicly enacted legal foundation, empoweringagenciesto
actwith the confidence thatcomes from explicit authority conferred by thepeople s
representatives. The contrastbetween the reaction to the 2013 leaks that revealed thebulk call
records program , which rested on a secretly approved legal interpretation, and the reaction to this
program , which rested on clear, publicly debated, publicly enacted statutory authority, is
illustrative.
(U ) Ofcourse, the risk that statutes will produce unintended consequences is ever
present, in intelligence statutes as in any other, and calls for careful drafting. I sharemy
colleagues view that the accidental, unavoidable compliance errors that can occur in any large
319 ( U ) See, e. g. , Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L . No. 108-458; Implementing
Recommendationsof the 9 / 11Commission Act of 2007, Pub. L . No. 110-53; FISA Amendments Act of 2008, Pub .
L . No. 110- 261; USA Freedom Act of 2015, Pub . L . No. 114- 23 ; FISA Amendments Reauthorization of 2017, Pub.
L . No. 115- 118 ( 2018) .

64

TOP SECRET

 TOP SECRET

enterprise , private or public, should notby overly granular codification be transformed into
statutory violations, triggering disproportionate consequences and undesirable risk -aversion .

( U) Inmyview , however, FISA generally achieves the right balance in this regard by
requiring agencies to create minimization, targeting, and querying rules, requiringthe FISA court
to review them , andrequiring the intelligence community to declassify them as far as possible. 320
Congress has notsought to supply this intricateweb of permissions and prohibitions by statute ,
but instead opted to mandate that they exist and providemechanismsto verify their adequacy.
(U ) Finally, we should remember that the possibility of unintended consequences runs
both ways: it arises equally when Congress declines to act, allowing agencies to develop
domestic surveillance programswithout explicit statutory authority or boundaries. To legislate,
ormerely to oversee : there is no universally right choice.

(U ) Mycolleagues also consider the disadvantages createdbythe USA Freedom Act' s
limitation of two-hop collection to telephonemetadata, rather than other, newer technologies.
Technology-neutrality, is, of course, often well-advised in crafting statues in this era of rapid
technological change. I agree with my colleagues on that. Yet I see the implications somewhat
differently , both with respect to this statute and the principle of technology neutrality more
generally
(U ) First, it is true, as mycolleagues note, thatby tying the USA Freedom Act s two hop
authority to telephonemetadata , Congress limited the statute ' s usefulness. 321 But we should
also remember why it did that. It is notbecause Congress was unawareof the benefits of
technology -neutral authorities: witness Section 702 , a technology -neutralcollection authority
that has proved highly valuable. 322 FISA' s business-records provision, which is also up for
reauthorization this March, provides technology -neutral authority to collect one hop ofmetadata.
The government reports that that provision is very useful, precisely because it embraces the latest
communication technologies.

Rather, Congress limited two-hop collection in the USA

320 (U ) See, e.g., 50 U . S. C . 1881a( e) (requirementto adopt, submit for judicialreview, declassify, and publish
minimizationproceduresfor Section 702).
321( U ) Statementof AdityaBamzaiand Jane Nitze, Part II
.
322 (U ) See Privacy and CivilLibertiesOversightBoard, Reporton the SurveillanceProgram OperatedPursuantto
Section 702 of the Foreign IntelligenceSurveillanceAct 104– 10 ( 2014) ( Since 2008, the numberofsignals
intelligencereportsbased in whole or in part on Section 702 has increased exponentially, and 702 is
valuable” for other foreign- intelligencepurposes. .
323 (
briefingto the Board (Mar. 12, 2019). Specifically, the Bureautold theBoard
of the 56
businessrecordsrequestsin 2018 soughtelectroniccommunicationstransaction records, or ECTRs, which FBI
described to the Board as arguably themostvaluableuseofthis authority.

65

SECRET

 TOPSECRET

Freedom Act to telephonemetadata because the law was designed to achieve a very specific end:
providing a narrower replacement for the previous bulk CDR program .
( U ) Second, while I agree that, when crafting surveillance laws, technology-neutrality
should be the default, there are times when it willmake sense for a law to pick out particular
technologies. The churn of technological innovation will inevitably spit outnew modes of
communication and other technologies whose privacy implications we cannot presently foresee.
For that reason, itmay be rational for Congress to specify that an authority permits use of a
known, present-day technology, while excluding emerging or yet- unknown technologies that
may provemore invasive.

( U ) Consider a hypotheticaltechnology -neutralstatute authorizing an agency to employ
biometric analysis.” Congress mightreasonably prefer to allow an agency to use fingerprinting,
and perhaps some forms of facial recognition,while excluding “ rapid DNA identification
devices, which aremakingpositive identifications possible in as little as 90 minutes,” or other
intrusive biometric checks yet unimagined .

Or legislatorsmight choose to permit facial

recognition where photos are taken ata clearly identified checkpointin a secure area, but to
prohibit it where images are taken in public, or by stealth .

(U ) The point is that enacting a technology-specific statute is not always a blunder.
Rather, where consciously chosen, technology-specificitymay reflect a considered judgment to
rule out applications that would transform the authority at issueinto somethingmore intrusive
than Congress intended. The USA Freedom Act supplies a real-world example : Congress
approved two-hop CDR collection, but specifically barred the government from collecting “ the
contents . . .
any communication,” “ the name, address, or financial information of a subscriber
or customer,” and “ cell site location or global positioningsystem information,” presumably
based on its view that these types of data would be qualitatively more revealing than other data
that CDRs ordinarily contain
(U ) Indeed, technology-specific legislation , with its effect of anchoringlevels of intrusion
in the present, may becomemore common as technology races forward. Avulsive technological
change seems to arrive every few years: the internet, IP -based messaging, socialmedia,
smartphones, biometrics, big data , the internet of things, and AI each galloping pastwith
324 (U See H . R . Rep . No. 114 - 109 ( 2015 ), at 17 (USA Freedom Act ' s CDR provision “ relies on ” previous reforms
to bulk metadata collection “ to establish a new , narrowly -tailored mechanism for the targeted collection of telephone
metadata . . part of an authorized investigation to protect against international terrorism . This new mechanism is
the only circumstance in which Congress contemplates the prospective , ongoing use of Section 501 of FISA in this
manner .” ).
325 (U ) International Biometrics & Identity Association , Biometrics & Identify: DNA Biometrics ( visited Oct. 18 ,
2019 ) , https://ibia. org/biometrics -and- identity /biometric -technologies / dna .
326 (U ) 50 U . S. C .

1861 k ) ( 3 ).
66

TOP

 TOP SECRET

irresistible momentum , with quantum computing and more on the horizon. Congress may
choose to legislate more frequently to ensure that, as new technologies emerge, the statutory
dispensation continues to balance security and liberty in the manner it intends.

6

TOP SECRET

 SECRET

VII. (U ) Statement of Board Members Ed Felten and Travis

LeBlanc327
(U ) Weappreciate the tireless work of the PCLOB staff, the thoughtfulness of our
colleagues, and the unyieldingdedication of the men and women of the national security
establishmentwho every day commit themselves to protecting our great country. The threat of
terrorism — both domestic and foreign is very realand has taken a long toll on our nation s
history. It is in this context that the Board conducts oversightof the USA FREEDOM Act CDR
program ,mindfulof ourmission to balance privacy and civil libertieswith nationalsecurity .
Together, we join the Board in issuingthis Reportto enhance transparency and public
understandingof this discontinued program .
(U ) Wewrite separately to stress our view that the USA FREEDOM Act CDR program
should remain shuttered and the program should not be reauthorized. Wereach this conclusion
for three reasons. First, the program producedminimalnational security value. Second, the
program s expense is disproportionate to its value. And third , the program intruded on the
privacy and civil liberties ofmillionsof Americanswho were not subjects of individualized
suspicion. On balance, the privacy and civil liberties impacts, combined with the program ' s
costs, outweighed the program ' s national security value. Also, we do not join the Board' s
constitutionalanalysis for the reasons stated below . Finally, we disagree with suggestions that
the sameprogram with data from differentmedia would solve the problems experiencedwith the
USA FREEDOM Act CDR program .

(U ) The value of the CDR program was not worth the risks and

cost.
( U ) In August 2019 , following three years of operation of the USA FREEDOM Act CDR
program , the Director of National Intelligence acknowledged in a letter to select Members of
Congress that

[NSA
suspended the [USA FREEDOM Act call detail records program . . .
and deleted the call detail records acquired under this authority. This decision
was made after balancing the program s relative intelligence value, associated
costs, and compliance and data integrity concerns caused by the unique
327 (U ) Statementfrom

Travis LeBlanc: While I do join the Board in issuing this documentto providetransparency

aboutthe facts and history of the program so that Congress and the publicmay scrutinize its value, I respectfully
decline to adoptthe document s conclusionsbeyond transparency about the USA FREEDOM Act CDR program .
Statement from Ed Felten: I join the Board ' s report in full, except that I disagree with the constitutionalanalysis, for
the reasonsdiscussed in this statement.

TOP SECRET

 TOP

complexitiesofusing these company-generatedbusinessrecords for intelligence
purposes. 328
( U ) The program remains dormant today. Over the three years this program was operational, it
cost over $ 100 million .

( U ) As discussed in detail in the Report since implementing the revised CDR program ,
NSA encountered multiple data integrity and compliance problems. While NSA expended
considerable effort to diagnose and remediate the problemsas they arose and mitigate the
likelihood of recurrence, the errors nevertheless recurred.
s credit, in response to
irregularities in somedata received from telecommunications service providers[
NSA ultimately concluded that “ it was notfeasible to identify and isolate properly produced
data

from improperly produced data so itdeleted data collected under the program .

(U ) There is no indication that the conditions that led to the compliance errors are likely
to change. If the program were reauthorized and restarted , it is hard to see what NSA could do to
avoid further data integrity problems and accesses to data beyond the boundaries envisioned by
the statute .

(U ) Further, advancements in communications technology have already reduced the
potential value of the CDR program . Independent experts331 and academics 332 have argued that
telephony data is of decreased value given the shift to different communications protocols, such
as encrypted messaging. Both NSA333 and

agree that communicationspatterns and

platformshave changed and that the current environment is unlike what itwas years ago. These
communication platformsand technologies will continue to change and develop . And, as

328 (U ) Letter from Director of National Intelligence, Dan Coats, to Senators Richard Burr, Lindsey Graham , Mark
Warner, and Dianne Feinstein (Aug. 14, 2019 ) (expressing support for reauthorization of sunsetting provisions of
the USA FREEDOM Act).
329 (U ) NSA Press Release, NSA Reports Data Deletion, PA -010 -18 (June 28 , 2018 ).
330 (U

A very small number of records were retained because they were referenced in disseminated reports.

331 (U ) See, e. g., Privacy and Civil Liberties Oversight Board, Transcript of Public Forum to Examine the USA
Freedom Act, Telephone Records Program (May 31, 2019 ) ( statement of Mr. Michael Bahar), http :// pclob . gov
(
t' s fair to say the terrorists know asmuch as you can to stay off your phones. Or if you stay on your phone .
start transitioning to encrypted communication . . . And ifyou ve got everything, you ve got nothing. .
332 (U ) See, e.g., Privacy and Civil Liberties Oversight Board, Transcript of Public Forum to Examine the USA
Freedom Act, Telephone Records Program (May 31, 2019 ) (statement of Professor Susan Landau , http:// pclob .gov
(“ There are a number of changes that have happened since the summer of 2001. Technically and socially in the way
we communicate, in the way terrorists communicate.” .
333 (U ) NSA briefing to the Board (May 23, 2019 ).
334 (U ) FBIbriefing to the Board (June 19, 2019 .

TOP SECRET

 SECRET

counterterrorism targets increasingly rely upon non- phone communications modalities,
utility of phonemetadata analysis in counterterrorism will continue to decrease .

II
.

the

( U ) Wecannot join the Board' s constitutionalanalysis.
(U ) Themajority devotes over a dozen pages of the report to a constitutional analysis of

the USA FREEDOM Act CDR program . We respectfully part ways with our colleagues in two
ways.

(U ) First, we question whether a constitutional analysis of the CDR program was prudent.
While we can contemplate a circumstance where assessmentof the constitutionality of a program
would be helpfuland informative, given our Board ' s limited time and resources, we question the
utility of a constitutional analysis of this particular program . The USA FREEDOM Act CDR
program has been suspended . Its existence and primary contours were publicly known and
debated, and itwas subject to oversightby the Foreign Intelligence Surveillance Court.
However, in lightof the constitutional analysis provided by our colleagues we address our
thoughts below .

(U ) Second, themajority does notgo as far as we would have gone in discussing a full
picture of complex and evolving constitutionallaw. As the courts are continuing to grapple with
how to apply the Fourth Amendmentto new technologies, and especially to records held by
communications providers, wewould have preferred a discussion of this challengingarea of law ,
rather than a conclusion of constitutionality restingon a formalistic application of case law that
the Board declined to endorse in its 2014 report. Further, the majority s constitutional
assessment is silent on the First Amendment implications of the USA FREEDOM Act program .
Assuming arguendo that “ reasonableness” is the appropriate Fourth Amendment standard for
evaluatingany resumption of the USA FREEDOM Act CDR program , we would have instead
assessed not the reasonableness of the program at its inception, butwhether a resumption of the
program aswe know itnow would be constitutional. Because the pointof a Fourth Amendment
reasonableness analysis is to weigh privacy intrusions on individuals againstgovernment national
security and law enforcementinterests, we would have preferred a forward

335 ( U ) Privacy and Civil LibertiesOversightBoard, Transcriptof Public Forum to Examinethe USA Freedom Act,
TelephoneRecordsProgram (May 31, 2019) (statement of ProfessorSusan Landau) ( [ C ] ommunicationis not
happeningover the telephonenetwork. . . . When I look at the question ofrecords, what I see is a change in
communicationmodality. ” ), https:/ / www .pclob . gov/ reports/report-public-forum ; Privacy and CivilLiberties
OversightBoard, Transcriptof Public Forum to ExaminetheUSA Freedom Act, TelephoneRecordsProgram (May
31 2019) (statementofMr
. MichaelBahar) (“ [ I ] t ' s fair to say the terroristsknow as much as you can to stay off
your phones. Or if you stay on your phone. . . start transitioningto encrypted communication[ . ]
https: //www . pclob. gov/ reports/ report- public- forum .

70

TOPSECRET

 TOPSECRET

looking analysis that factored in the now -known minimalnationalsecurity value of the program
balanced against its privacy impacts.

A .

( U ) Whether the Board should conduct a constitutional analysis of

the CDR program .
( U ) The Board has a statutory responsibility to provide independent oversight of
government activities that involve more personnel than the Board employs and greater resources
than the Board possesses . It is essential that the Board exercise careful discretion in both its
selection of matters to review and in how it conducts its reviews. In much the same way that
courts practice judicial economy, we recommend that the Board responsibly adhere to a similar
principle of oversight economy. We should prioritize providing constitutional and legal analysis
where the Board has an institutional comparative advantage that will inform the Executive
Branch , Congress, courts , and the American people. In contrast to the circumstances
surrounding the Board ' s constitutional analysis of the 215 bulk records program , for the reasons
noted above , we would have focused the Board 's time and resources elsewhere .
B.

( U ) Themajority' s constitutionalanalysisof the CDR program

does not go far enough .
( U ) A conclusion that a now defunct program was constitutional at its inception is not as
helpful as a discussion aboutwhether the current landscape of facts and jurisprudence would find
it so . Accordingly , we would ask not whether Congress acted appropriately when itpassed the
USA FREEDOM Act CDR provision , but rather whether an extension of that authority would be
constitutional in light of the facts and circumstances known today
This, we believe , would be
336 (U ) We also do not support the majority ' s reliance on a “ foreign intelligence ” exception to the Fourth
Amendment warrant requirement in its analysis . It is our understanding that the Supreme Court has left open the
question of whether there is a “ foreign intelligence exception ” to the Fourth Amendment . We are mindful to
exercise caution in expanding any special needs exception to the Fourth Amendment . Such amalleable exception is
at risk of not only expanding the Fourth Amendment beyond the expectations of the Founding Fathers , but also of
expanding it beyond the literal text of the Amendment . Such an expansion risks sweeping into its ambit numerous
activities solely because they are un -favored today . Thus , we tread cautiously and inspired by the wisdom of Justice
Marshall, who wrote in Skinner v . Railway Labor Executives ' Association , There is no drug exception to the
Constitution , any more than there is a communism exception or an exception for other real or imagined sources of
domestic unrest. [ A ]bandoning the explicit protections of the Fourth Amendment seriously imperils
right to be
let alone — the most comprehensive of rights and the right most valued by civilized men.
Skinner . Railway
Labor Executives ' Ass n. 489 U .S. 604 ,641 ( 1989) (Marshall , J., dissenting ) (citation omitted ) (quoting Olmstead v.
United States, 277 U . S . 438 , 478 ( 1928) ( Brandeis, J., dissenting )). Accordingly , we are also reluctant here to assert
that the “ special needs” exception to the Fourth Amendment may apply .
337 ( U ) We are taking the ex ante position that Congress must now contend with a different landscape of known facts
and circumstances than those which advised its decision in 2015 . That altered landscape includes new facts about
the value of the program and difficulties operating it, new Supreme Court jurisprudence , and a new understanding of
both the privacy intrusions fostered by this program as well as the government interest furthered by the program .

TOP SECRET

 TOPSECRET

most helpful to Congress and the public as they consider what to do with the program in the
future. To be clear, we do not reach a conclusion here. We do, however, raise points thatwe
believe should be considered by Congress. We conclude that there are considerable distinctions
between precedent on which our colleagues rely and the reasonable expectations of privacy in a
modern world .
( U ) The crux of the majority ' s position is this: In Smith v. Maryland, the Supreme Court
held that law enforcement collection of certain types of call records is not a “ search ” under the
Fourth Amendment. The USA FREEDOM Act CDR program involved the collection of call
records. Ipso facto , the CDR program is not a search or seizure under the Fourth Amendment.

(U ) In 2014, however, theBoard expressed doubts aboutwhether that legalargument was
right as applied to bulk collection ofcall detailrecords. In its priorreport, the Board explained
thatbasic argument, and then discussed factual, policy, and legal reasonswhy Smith and the
“ third -party doctrine” may not have been a sufficient constitutionalbasis for thebulk CDR
program . Importantly, the 2014 report did not reach a conclusion on the constitutionality of the
bulk program . Instead, the Board provided an accurate and evenhanded perspective: it indicated
that the governments relianceon Smith was a reasonable legalposition, that courts had reached
differing conclusions aboutthat position, and that the law in this area is challenging, rapidly
changing, and difficult to predict
Webelieve the Board' s assessmentfrom 2014 remains
spot on, and subsequentlegaldevelopments like Riley v. California and Carpenter . United
States lend further support to that perspective.
(U ) We take issue with the majority s characterization that the 2014 Board was
" unanimous" in finding the pre-2015 bulk telephony program constitutional— notwithstanding
the factual differences between that program and Smith. As the Board wrote in 2014 : “ it is
possible that the contemporary Supreme Court — if called upon to evaluate the bulk collection
telephony CDR program
the Fourth Amendment would not consider Smith v. Maryland
to have resolved the question .” And in congressional testimony just weeks after the 2014 report
was released , our then-Chairman DavidMedineexplained “ The Board also believesthat the
NSA 's bulk telephone records program raises concerns underboth the Firstand Fourth
Amendments to the United States Constitution . Our report explores those concerns, explaining
that while governmentofficials are entitled to rely on existing Supreme Court doctrinein
formulating policy, the existing doctrine does not fully answer whether the Section 215program

Knowing what we know now , we have serious doubts going forward about whether the USA FREEDOM Act CDR
program is reasonable under the Fourth Amendment.
338 (U ) 2014 Board Report at 11, 103 27

TOP SECRET

 TOP SECRET

constitutionally sound.

the majority points out, the Board also notedin its 2014 report the

following:
the SupremeCourt rules otherwise, Smith v. Maryland and the third-party
doctrine remain in force today. Governmentlawyers are entitled to rely on them when
appraising the constitutionality of a given action. 340 Wereweserving on the Board in 2014, we
would have entirely agreed, aswedo now . To us, however, both can be true: the Board ' s
analysis of the constitutionality of the 215 bulk program raised questions about the
constitutionality of the program under both the First and Fourth Amendments, but
notwithstanding those concerns, the governmentwas entitled to rely on the law as it stood at the
timeto govern the contours of its intelligence program . Wewould reach the same conclusion
about the USA FREEDOM Act CDR program now .
(U ) Because Smith and the third-party doctrine are so central to Fourth Amendment
analysis of the USA FREEDOM Act CDR program , we briefly outline someof the Board' s 2014
concerns and discuss how subsequent legal and technicaldevelopments reinforce those concerns
in the context of the CDR program as weknow it now . We do notendeavor to rehash the
Board ' s 2014 report, and we encourage the public to read this report in tandem with the 2014
report.

(U ) In the 2014 report, the Board outlined key factual differences between the bulk
telephony CDR program under Section 215 of the USA PATRIOT Act and the Smith case.
For example, the Board noted that the bulk telephony CDR program gathered significantlymore
information about each telephone call and aboutfar more people than did the pen register in
Smith. In Smith , the police collected the numbers the defendant dialed after the pen register was
installed, butdid not collect information about the duration of the defendant' s calls or whether
the calls were completed, nor aboutcalls made previously by the defendant. Nor did the police
in Smith collect information about incomingcalls to the defendant s telephone line. Further
Smith involved a short duration ofuse of a pen register (no more than 2 days) and the dialing
information of just oneperson. Finally, in 1979, there was no ability to aggregate dialing
recordswith those of other individuals and gain additionalinsightfrom that analysis. 342
(U ) We will have to agree to disagree with our colleagues on the significance of the ways
in which the USA FREEDOM Act CDR program differs from the underlying facts in Smith. It
339 (U ) Recommendationsto Reform Foreign Intelligence Programs: Hearing Before the H . Comm. On the Judiciary,
113th Cong. 9 (2014 ) (statementof DavidMedine, Chairman, Privacy andCivil Liberties Oversight Board),
https://www .pclob. gov/ library/Medine-Testimony-20140204-House_ Judiciary_ Comm .pdf.
340 (U ) 2014 Board Report at 126.
341 (U ) We do notrepeatthe Board' s full analysis here. For a full analysis , see the 2014 Board Report at 111 12.
For a more detailed discussion ofthe underlyingfacts in Smith v Maryland, see the 2014 Board Report at 111 14.
342 (U ) See 2014 Board Report at 126.

TOP SECRET

 is our view that those differences are more significant than themajority believes them to be and
that nothing in the intervening five years has undercut them . 343 If anything, recent research has
put the Board ' s concerns from 2014 on an even more solid factual foundation : there is a
significant privacy impact associated with large-scale telephone record collection . 344
( U ) Wedo not dispute that Smith remains good law . Nordo we dispute that the
governmenthas a reasonable legal argument, grounded in Smith , for why the shuttered USA
FREEDOM Act CDR program was consistentwith the Fourth Amendment at its inception. But,
just like the Board in 2014 , weare not prepared to endorse that argument given whatwe believe
to be the serious factual differences from Smith . In short , we question whether a court
considering the specific facts of the USA FREEDOM Act CDR program would find them
similar enough to the underlying facts of the primitive “ pen register in Smith to extend that
forty - year - old precedentto cover the USA FREEDOM Act CDR program . Webelieve that the
majority places much greater weight on Smith than is warranted.

(U ) There areadditional facts about the USA FREEDOM Act CDR program that remain
classified, and that bolster our view that Smithmay notbe as dispositive as suggested by the
majority.
(U ) In Smith, the police collected a list of called numbers. In the CDR program , a record
can be returned if a selection term matches the record ' s originating number, dialed number,
terminating number, billing number, IMSI(unique identifier for a phone subscriber) IMEI
(unique identifier for a phone handset), equipment serialnumber, or calling card number. In
addition, the CDR program collected about 50 data fields for each call , including information
about the caller, callee, their phone carriers , and various routing and status information.
The
information collected appears consistent with the statute, but it goes wellbeyond what the court

343 (U ) Moreover, a recognition that the SupremeCourt' s opinion in Carpenterand Riley should be fairly considered
alongside Smith is a reasonable assessmentof the state of constitutionalprecedent. The majority appears to have
embraced the dissentingview in Carpenterof the third-party doctrinethat such a recognitionwould destabilize
criminal and national- security [ sic ] investigationsacross the United States. See Part IV ( A ) (2) ; see also Carpenter
v. United States, 138 S . Ct. 2206 , 2223, 2233– 35 2018) (Kennedy, J. , dissenting). However, in Carpenter, the
majority of the SupremeCourt embraced the same caution we urge today As Justice Frankfurternoted when
consideringnew innovations in airplanes and radios, the Courtmust tread carefully in such cases, to ensure that we
do not embarrassthe future.”
U . S . 292, 300 ( 1944 .

Carpenter, 138 S . Ct. at 2220 (quotingNorthwest Airlines, Inc. v. Minnesota, 322

344 (U ) Jonathan Mayer, Patrick Mutchler, & John C . Mitchell, Evaluatingthe privacy properties of telephone
metadata, 113 PNAS 5536 , 5538 (May 17 , 2016 ) ( finding
telephone metadata is densely interconnected, can
trivially be reidentified, enable automated location and relationship inferences, and can be used to determine highly
sensitive traits” ), https:/ /www. pnas.org/ content/ pnas/ 113/20/5536 .full.pdf.
345 (U ) Riley v. California, 573 U . S . 373, 400 (2014) (citing Smith v. Maryland, 442 U . S . 735 ( 1979)).
346 (U ) See Appendix B .

TOP SECRET

 TOP SECRET

considered in Smith. As an example, CDRscould includeinformation aboutwhether a mobile
phone involved in a call was roaming and on which network it was roaming. This might serve as
a proxy for a phone s location within broad coverage areas. For example , if a CDR records that
a phonewhose home provider is Company A was roamingon Company B network, this
implies the phone was very likely in a location covered by B s network but notby A s . In
addition, a CDR can contain information aboutwhich switchingequipmenthandled a call, which
can convey further location information.347
(U ) It is facts like these that take the USA Freedom Act CDR program further from Smith
and into an intermediate area between Smith and Carpenter.
In Carpenter, the Court
determined that warrantless collection of cell site location information violated the Fourth
Amendment, and Chief Justice Roberts noted that “ [a ] majority of this Court has already
recognized that individuals have a reasonable expectation of privacy in the whole of their
physicalmovements. 349 The more precise location data becomes, the more such data has the
potential to revealpersonaldetails of one s life. 350 Although NSA did not collect cell site
information in CDRs, and the statute expressly prohibited such collection, the fact that
contained information indicative ofmore coarse- grained location doesmake Carpenter relevant.
Wecannotsay how the Courtwould ultimately rule on the facts of the USA Freedom Act CDR
program ,but in viewing the Court s most recent Fourth Amendment decisions, the picture
becomes less clear than themajority would suggest.
(U ) Legaldevelopments since the 2014 report strengthen our argument that Smith may not
be as definitive as the majority suggests. Wenote, as our colleagues do, that as technology
evolves, so too has the SupremeCourt s Fourth Amendmentjurisprudence. While the Courthas
not considered facts similar to the USA FREEDOM Act CDR program , and has not overturned
Smith, we believe that Riley and Carpenter carry more significance in assessing the
constitutionality of the CDR program based on the facts as we know them now than the majority
affords them . In Riley v. California, the SupremeCourtaddressed a longstanding rule in Fourth
Amendment law : that law enforcementneed notobtain a search warrantbefore conductinga
search incidentto a suspect's lawfularrest. The Courtheld that the search -incident-to -arrest
exception to the Fourth Amendment s warrant requirement does notapply to cell phones: “ Our

347 (U ) The implied location that mightbe inferred from a CDR is generally coarse -grained and does not violate the
statute ' s prohibition on CDRs containing cell site location or global positioning system information . ”
348 (U ) Carpenter , 138 S. Ct. at 2206 .
349 (U ) Carpenter, 138 S. Ct. at 2217 (citing United States v. Jones, 565 U . S. 400, 415 430 (2012) (concurrences of
Alito , J. , and Sotomayor, J. )).
350 (U ) Carpenter, 138 S. Ct. at 2218 .

TOP

 answer to the question of what policemustdo before searching a cell phone seized incident to an
a warrant.” 351
arrest is accordingly simple

(U Morerecently, and even morerelevant to the USA FREEDOM Act CDR program ,
the Court held in Carpenter v. United States that law enforcement access to a week or more of
cell- site location records constitutes a Fourth Amendment“ search” and ordinarily requires a
search warrantbased on probable cause. In Carpenter, the government argued that Smith and the
third -party doctrine should lead to the conclusion that because cell- site location records are held
by telephone companies, or third -parties, government access to them is notsubject to the Fourth
Amendment. But the Court didn 't go that way. The Court expressly distinguished Smith and
explained that the volume of data , the sensitivity of the data , and the unavoidability of the data
collection by the third -party all weighed in favor of Fourth Amendment protection .
(U ) The majority makes much of the Supreme Court s insistence in Carpenter that Smith
remains good law . This we likewise do not contest . But the Carpenter discussion does not
address how Smith applies to the USA FREEDOM Act CDR program . Carpenter — like Riley
and United States v . Jones352 instructs that that is not an easy question .

(U ) While Rileyand Carpenter do not overturn Smith, each contains commentary that
presents a window into the Court's view of the intersectionofnew technology and the Fourth
Amendment. Itis against this backdrop that wewould have preferred theBoard' s constitutional
analysis to have been set.
(U ) In addition to presenting an incomplete picture of how the Fourth Amendment may
intersectwith theUSA FREEDOM Act CDR program as we now know it to be, the majority
does not assess the program s First Amendment implications. This large- scale CDR program
surely sweeps in the CDRs of protestors, journalists, political activists, whistleblowers, and
ordinary people. The First Amendment protects fundamentalrights including the freedomsof
speech and association. The Board' s 2014 analysis of the First Amendmentchallenges to the
previous bulk CDR program largely extends to the USA FREEDOM ActCDR program ,
especially with respectto the potentialchilling effectcreated bya program that collects the
phonerecordsofmillionsof people, withoutindividualized suspicion
One would expect a
court' s review of the reasonablenessof the constitutionality of the USA FREEDOM Act s

351 (U ) Riley , 573 U .S . at 403.
352 (U ) “ In United States v. Jones, the SupremeCourt ruled that placing a GPS device on a Jeep driven by a criminal
suspect, and then using the device to track the Jeep s movementscontinuously for four weeks, was a “search ” under
the Constitution.” 2014 Board Report at 122 (discussing United States v. Jones, 565 U . S . 400 (2012 ) . For a more
complete discussion of Jones, see the 2014 Board Report at 122– 24.
353 (U ) We do not repeat the Board' s fullanalysis here. For a fullanalysis , see the 2014 Board Reportat 128– 36 .
76

TOP SECRET

 TOP SECRET

program to also consider the program ’s implications on the First Amendment rights of
Americans

(U ) We do notknow whether a court, presented with the facts available to us, would find
the USA FREEDOM Act CDR program to be constitutional. That is the same basic conclusion
thatthe Board reached in 2014 about the bulk telephony CDR program . Wedo not believe,
however, that the majority ' s analysis presents a complete picture of the current First and Fourth
Amendment landscapes to establish that reauthorization and reoperation of the program ,
knowing what we know today, would be constitutional.

III.

(U ) The same program with data from differentmedia is not

the answer .
(U ) Finally, in assessing the USA FREEDOM Act
program s national security
value, ithas been suggested , including by some of our fellow BoardMembers , that a multi- hop
metadata collection program governing other types of communication media may prove more
valuable than the CDR program . While this has notbeen a part of the Board' s oversight review
of the CDR program and is not something the Board investigated, we think it is important to note
our disagreement with these suggestions.

(U ) On this point, we are in general agreement with Chairman Klein. Congress knew
what it was doing when itchose to limit this authority to telephony The prior bulk 215 program
had been focused on telephony, and the USA FREEDOM Act framework was designed to
authorize a version of that program . The limitation of the bulk program to twohops had already
been adopted as a matter of policy — so Congresswas authorizing the program more or less as it
was operating at the time.
(U ) Even with the limitation to telephony — a technology with a 100 -year history — there
was substantial debate about legislating clear boundaries for its use in the CDR program . Had
Congress instead tried to legislate over a broader and more rapidly evolving set of technologies,
the definitional and boundary-drawing problemswould have been vastly more difficult.

(U ) And there is no reason to think the compliance or data quality issues encountered in
the CDR program would havebeen less severe for other types of communicationsmedia.
Working with a sector where developingnew capabilitieswithout fully examiningdownstream
impacts is a common business practice would not have been conducive to stability and data
accuracy — let alone compliance. Congress chose to scope the program to cover amore
established technology operated by stable, long-lived , and historically regulated American
companies.

(U ) All ofthat said , there

and will continue to be significant intelligence value in first
hop communications metadata , and in additional hops where there is specific analytical

TOP SECRET

 TOP SECRET

justification for acquiring them . What experience with the CDR program has taught is that
domestic multi-hop metadata , without specific justification for its collection , is likely to have
little impact on national security but would undermine the privacy of large numbers of
Americans .
*

*

( U ) The USA FREEDOM Act CDR program was implemented with knowledgeof the
Board' s findings in 2014 regarding the bulk collection program , finding that the government
could not demonstrate a strong enough showing of efficacy to justify the privacy and civil
liberties implications of the program . The Board noted that “ [i ]f the government and Congress
seek to develop a new program to replace the Section 215 program , any such new program
should be crafted farmorenarrowly, and the governmentshould demonstrate that its
effectiveness will clearly outweigh any intrusions on privacy and civil liberties interests.
This balance has notbeen realized in the USA FREEDOM Act CDR program . In the end,
whether for concernsover constitutionalimplications or for policy reasons, we concurwith
NSA s decision to end the program and believe the program should remain shuttered .

354 (U ) 2014 BoardReport at 169.

TOP SECRET

 TOP SECRET

VIII

(U ) Statement of BoardMembersAditya Bamzai
and Jane Nitze

(U ) Congress s consideration of legislation to reauthorize the call detail records program
of the USA Freedom Act provides occasion to assess notonly the program s costs and benefits,
butalso themanner in which Congress can legislate best in rapidly evolving technologicalareas.
When the Board reviewed NSA s bulk telephony metadata program in 2014 , itwas divided. Key
findings on the program s value split the Board three to two. In Congress and the public sphere,
too, there were disputes, we believe largely in good faith , about the merits of the program Five
years after the USA Freedom Actwas enacted and a new CDR program established, there is less
room for debate. The program was statutorily authorized and constitutional under controlling
precedents. It also was expensive, plaguedwith data - integrity concerns, and produced minimal
intelligence relative to other nationalsecurity programs. Itis, of course, incumbent on us notto
fall into a cycle of timidity and aggression," 355 or to assumewe aresafe irrespective of, rather
than because of, our security programs. But we have a hard time lookingatthis particular
program as it actually operated and concludingmuch other than that the game is notworth the
candle. That' s not to say, though , that a well-designed metadata program , onenot restricted by
some of the USA Freedom Act s statutory limitations, couldn't succeed .

some figures down: Over its short lifetimethe CDR program cost, at a
minimum, 100 million dollars. NSA estimatesover

were given to the

providers alone, on top of the administrative costs of running the program and the resources
expended unpacking and then resolving each of the compliance concerns. Against these costs,
the specific benefit that the CDR program provided was the ability to get a “ second hop” of
CDRs in a relatively expeditious manner, without the need for a FISA business- records order for
each “ first-hop number. 356 Yet as noted in Part III( B ) of the Board' s report, the program

355 (U ) Manyhave noted that the nationalsecurity apparatusengages in “ controversial action[ s] at the edges of the
law ,” faces recriminations for those actions, and acts with timidity until a crisis spurs it, once again, to act atthe
edges of the law . JACK GOLDSMITH , THE TERROR PRESIDENCY: LAW AND JUDGMENT INSIDE THE BUSH
ADMINISTRATION 163 (2007) . See also 2014 Board Reportat 209 ( statementof Rachel Brand).
356 ( U ) The USA Freedom Act does not speak of “ hops.” Instead, it uses the following language:
An order under this subsection . . .

.

) providethat the Governmentmay require the

promptproduction of a first set of call detail recordsusingthe specific selection term . . . and ] (iv )
provide that theGovernmentmay require the prompt production ofa second set ofcall detail
recordsusing session- identifyinginformation or a telephone calling card number identified by the
specific selection term used to produce calldetail records under clause ( iii) [ . ]

79

SECRET

 TOP SECRET

resulted in the issuance of only 15 intelligence reports. While wemay not expectmetadata
collection activities to produce as many reports as content collection activities , the government
itself noted the program s limited relative value
The Board was informed, moreover, that FBI
found the reports largely (though notwholly ) redundant: in only two instances did FBIreceive
unique information from USA Freedom Act CDRs.

of the reasonsthe CDR program did not produce a large volume of
usefulintelligence can be traced back to evolutionsin technology since the first iteration of a
post- 9 / 11telephonymetadataprogram . Experts in and out of governmenthave noted a shift
away from traditionaltelephony, with terrorists increasingly using chat applicationsand
encryptedmessaging. Yet CDRs collected under the USA Freedom Act did

result, the program could nothave
detected the 2019 analog of the reason itwas created: to see
The blame does not restwith NSA.
Traditional telephone records simply do not carry the same importance they once did ; no version
of a domestic metadata program fixed solely on traditional telephony was likely to have
produced intelligence reflective of its costs.

(U ) That should not, however, distract us from the reality thatmulti-hop analysis can
have important intelligence value. Simple commonsense examples illustrate how . First,
consider the case of a terrorist organization usinga trusted intermediary, or “ cutout,” for
communications. The governmentmay be investigating a particulartarget (“ A ” ) who
communicateswith a person (“ B ” ), who in turn communicates with a senior terrorist leader
(“ C ” ). Investigatorsknow of both A s and C s connection to the terrorist network, but do not
know with whom C is communicating. If investigatorsare unaware of B , single -hop collection
would show only that A is communicatingwith an unknownparty, B . Because B is unknown,
the governmentmay beunable to establish the “reasonable articulable suspicion” necessary to
secure process for further hops. 358 Two- hop collection, by contrast, allows the governmentto
see that A and C maybe communicatingthrough an intermediary, thereby bringing B s potential
significance as a cutout to investigators attention.
(U ) This is but one ofmany examples that illustrate how contact-chain analysismay add
significant intelligence value to national- security investigations. Here are two more. Consider
that the target of an investigation (“ A ” ) could be communicating directly with a senior terrorist
leader (“ C ” ) and also , at the same time, with an unknown party (“ B ” ). The governmentmay
(U ) 50 U . S. C .
( )( )(F )(iii)– (iv). For ease of exposition,we use the morecolloquialterm “ hop,” butwemean
to capture the precise textof the statute.
357 (U ) SeeNSA briefingto theBoard (May 23, 2019); see also Letter from Daniel Coats, Directorof National
Intelligence, to Senators Richard Burr, LindseyGraham , Mark Warner, and Dianne Feinstein (Aug. 14, 2019).
358 (U ) 50 U .S. C .

1861(b)(2 )(B ).
80

SECRET

 TOP SECRET

have no reason to investigate B until second -hop data shows that B , too , is communicating with
C . Or consider that second -hop data may reveal a hub -and -spoke organization to a terrorist
network , with an intermediary in communication with other parties of interest whose call records
the government does not have. Contact chain analysis could give investigators the ability to
identify the relevant persons within a network leaders and critical individuals worthy of further
investigative time and resources .
(U ) Consider, aswell, that in areas where the governmentis required to obtain orders
from the FISA court for collection, multi-hop collection may allow the governmentto acquire
information faster and more efficiently than single-hop authorities. With regard to the FISA
court: there are, no doubt, salutary benefits to requiring the governmentto express in writing its
justifications for surveillanceand to seek approval from an independententity before obtaining
sensitive data. Yet, as the Board' s reportexplains, the drafting and approval process for
applications to the FISC can take “ days or weeks. 359 Andwewonder if the time lost and the
resourcesrequired mightnot sometimes deter investigators from seeking perfectly lawfuland
appropriate orders. By allowingmoredata to be acquired with fewer FISA court applications,
multi-hop collection lessensthese potential drawbacksand carries efficiency advances as
compared to single-hop authorities even in spaces in which equivalentdata may be
theoretically available under other authorities.
(U ) Allthis is not to say thatmulti- hop analysis is without its costs. Like for any national
security program , policymakershave to weigh the resources required to run multi-hop analysis
againstits intelligence value . They also should consider that by its nature, multi- hop analysis
inevitably results in the collection of an exponentially larger amount of data than single-hop
analysis. Just imagine for a momentall the numbers you dial— and that dialyou ranging from
restaurants from which you order takeout, to bankswith whom you check your accountbalance,
to telemarketers who call you unannounced. Then imagine allof the numbers that those numbers
call and all the other people who call those numbers. Even when the CDR program operated as
designed, multi-hop collection acquired all those numbers
of terrorists A , B , and C in the examples above.

along, of course, with the numbers

(U ) The difficulty of quantifying costs and benefits in this area is not a unique feature of
multi-hop programs. Indeed , more often than notpeople disagree in goodfaith aboutthe relative
costs and benefits of particular intelligence programs. On rare occasions, though , thebalance
willbe fairly apparent — as it was to NSA and to us) in the case of the USA Freedom Act CDR
program . The value ofmulti-hop analysis in the abstractmay be substantial; the value of this
particularmulti- hop program , in our view , was not.

X

359 ( U ) See Part II( A ) .

TOP

 II.
(U ) Manywillpoint aswedo — to changing times and technologiesin assessingthe
relative valueof the CDR program . But that obvioustruth should not pullusaway from the
harder question of how law and policy affect intelligence programsin both intended and
unintendedways, potentially alteringboth their operationalutility and invasiveness. In
reviewingthe transition from the bulk collection program to the operation, and then suspension,
of the CDR program, we see the followingworth noting.
(U ) First, by tying theUSA Freedom Act to telephonymetadata alone, Congresslimited
the statute s usefulness as terroristsmoved away from traditionaltelephony as their primary
modeof communication. Expertshave noted that the codification of surveillanceauthority in
one technologicalmedium will naturally push those seeking to evade governmentdetection to
substitute alternativemethods of communications.
And yetthe Actdid not providemulti-hop
authority for themyriad otherways in which terroristsmay communicate, from emails to
encryptedmessaging. That proved to be a problem . Thus, in the future, for surveillance
authoritiesto be useful in a world ofrapidly advancing technology, they should be neutralas to
communicationsmethods. 361
(
, severalof the compliance incidents arose when Congress codified
in statute a two -hop architecture, a framework that seemsto assumethat telephone
communications occurbetween two parties (i .e . , A calls B ). But in a world where
communications can occur through intermediaries, the two -hop statutory framework results in
ambiguities as to how to determine the scope of a particular communication. The compliance
incidents related to
were created by this statutory
ambiguity and premised on the fundamental question left open by the statute What s a hop ? In
this fashion , the USA Freedom Act itself created the potential for compliance difficulties ,
prompted by statutory confusion when the application of law to technology arose in unforeseen
circumstances . 362

360 (U ) See generally RemarksofRobertLitt, General Counselfor the Office of the Directorof National
Intelligence, Statementbefore the Senate Judiciary Committee(Dec. 13, 2013).
361 ( U ) The same issue arose when Congressamended the pen register statute in the USA PATRIOT Act of 2001.
See In re Certified Question, 858 F .3d 591, 602 ( FISA Ct. Rev. 2016) (“ The principalchange to the pen
register/trap -and-trace provisionwasto make those provisionsapplicablenot just to telephony, but to all formsof
wire and electronic communications. .
362 ( U ) Courtshave addressed comparable questionsin the contextof the pen register statute . See, e .g., In re
Certified Question of
, 858 F .3d at 591; In re Google Inc. Cookie PlacementConsumer Privacy Litig. , 806 F .3d
125 (3d Cir. 2015) .

TOP SECRET

 SECRET

(U ) Third, somecompliance incidents were caused simply because telephone providers
turned over incorrect data to NSA.
The government would appropriately request first- and
second-hop data from a provider, only to receive data that did notmeet the statute' s expectations.
There are, of course, manyauthorities, such as the Pen Register Statute 364 and the Stored
Communications Act,
which the governmentseeks telephonymetadata . Wedo not
know the number of compliance incidents under those separate authorities and whether the rates
of incorrect data from providers under the CDR program were higher than rates under other
programs. Wewould like to know the numbers, and if any differences were due to unique
features of the USA Freedom Act.
At a minimum , we believe the issuewarrants further
inspection.

(U ) Allthe foregoingsuggests thatwe should bewary ofoverly strict statutory regimes
that limit technologicalflexibility; under some circumstances, rigoroususe of oversight functions
may even be superior in ensuring that government activities properly balance security and
privacy interests. The Presidentordered significantchanges to the bulk telephony metadata
program after internalexecutive review , and the Board reported that after one year (and prior to
the passage of the USA Freedom Act) the governmenthad accept[ ed many of the
recommendations” in its report. 367 Although these assessments did not occur untilunlawful
disclosuresofthe program led to public debate, that doesn ' tmeanwe should reflexively seek
answers in unduly prescriptive statutory regimes thatoffer littleby way of technological
flexibility to implementingagencies.
(U

To be sure, law is essential to ensuring that the government does notoverreach and

that our nationalsecurity apparatus remains democratically accountable to the people. Yet
explicit and detailed codification of intelligence practices carries risk to both operations and
privacy. It carries operational risk when it is unduly rigid, given the ever -changing threats our
country faces. And it carries risk to our civil liberties when it serves as a continued source of
positive authority even as technology evolves. Some of the laws governing access to electronic

363 (U ) See Letter from Daniel Coats, Directorof NationalIntelligence, to Senators RichardBurr, LindseyGraham ,
Mark Warner, and Dianne Feinstein (Aug. 14, 2019 ) (noting “ the unique complexities ofusing these company
generated business recordsfor intelligence purposes” ).
364 (U ) 18 U .S .C .

3121et seq .

365 (U ) 18 U .S .C .

2701 et seq.

366 ( ) It is possible the errorrate under the USA Freedom Act CDR program was either higher or lowerthan is
found in recordscollected under other authorities. Given time limitations, wewere unable to determine if it was
even feasible to answer this question, never mind account for any differences in the error rate.
367 (U ) Privacy and CivilLiberties Oversight Board, Recommendations Assessment Report 1 (
https://www .pclob. gov/library /Recommendations Assessment-Report.pdf.
83

TOP SECRET

. 29 , 2015),

 TOP SECRET

communications that precede the commercial internet (not to mention the smartphone ) exemplify
these risks. 368

(U ) The impact on intelligence and privacy of the changeswroughtby the USA Freedom
Act is particularly difficult to assess. For example, under the bulk collection program NSA
approved only about 300 query terms in 2012. Yet underthe USA Freedom Act, which
prohibited bulk collection of call detail records, 164,682 US person querytermswere run against
NSA 's data last year alone, perhaps in partbecause queries no longerrequired pre- approval
either from designated agency officials or from the FISA court. 369 Atthe same time, the number
of intelligencereports dropped precipitously from one program to the next. In the three-year
periodbetween 2006 and 2009,NSA issued 277 intelligence reports — more than ten times the
numberproduced during the life of the USA Freedom Act CDR program . It' s not immediately
obvious to ushow to compare bulk collection with limited queryingagainstmore limited
collection with more extensive querying; we also do notknow ifthe drop in reports was due
largely to changes in technology. At a minimum , though, it strikes us that a case can be made
that the USA Freedom Act rendered the collection of CDRsless operationally valuable while
augmenting the very privacy concernsit soughtto lessen .

(U ) The threats we face have not abated and technology continues to evolve . We
encourage legislators to work with the executive branch as well as technology experts to
understand any gaps in current authorities and how technology may be leveraged to better protect
privacy while respecting national security imperatives. 370 To retain operational
over time,
368 ( U ) Forexample , the Electronic CommunicationsPrivacy Act addresses the interception of electronic data and
access to stored communications. But it was passed in 1986 and contains provisionsthat lead to counterintuitive
results with modern technology. It allows the governmentto use a subpoena to obtain emails and similarelectronic
messages if they are stored on a third-party server formore than 180 days, butrequiresa warrant to access the same
emailsif they were in storage for a shorter periodof time. 18 U . S. C . 2703(a ) ( ).
369 ( U ) To be sure, as noted in Part III B ) , this number is inflatedbecause of themannerin which NSA tracks and
counts queries; many of the 164,682 query termswould never return USA Freedom Act CDRs. However, that
number is still over 500 times higherthan the number of annualquery termsduring the operation of the bulk
program . Even substantial overcounting would not appear to make up for the difference.
370 (U ) Our colleagues suggest that a multi-hopmetadata program notlimited to telephonymetadatacould never
provemore valuable than the CDR program . See Statement of Ed Felten and Travis LeBlanc at77. On the basisof
this record, noneof us can know. In lightof the theoreticaladvantagesofmulti- hop analysiswe have described
above, it should be unsurprisingthat the intelligence community has identified contact-chain analysis as a significant
toolthat is worth the cost of collection and compliance underappropriate circumstances. Perhaps, though, we agree
on more than we disagree. Ourcolleagues say there “ is and will continue to be significantintelligence value in first
hop communicationsmetadata, and in additionalhopswhere there is specific analyticaljustification for acquiring
them . ” Statementof Ed Felten and Travis LeBlancat 77 – 78 (emphasis added ). It seemswe agree that there is value
in exploringthat potential.

TOP SECRET

 TOPSECRET

new communications surveillance authorities should be technologically neutral, allowing the
government s implementation — both in gathering intelligence and in protecting civilliberties
to evolve alongside technology and themanner in which our adversaries plot and threaten our
Nation. Welook forward to workingwith Congress on these issues.

TOP SECRET

 SECRET

( U ) Appendix A
(U Part II includes an unclassified description of the compliance and data- integrity
issuesNSA experienced with the USA Freedom Act CDR program . The Board worked with the
intelligence community to declassify and include asmany facts related to these issues as possible
in Part II. However, many facts necessarily remain classified because their release could be
expected to cause exceptionally grave damageor seriousdamage to the nationalsecurity. To
protect this information, but also to ensure additional transparency for appropriately cleared
individuals, includingmembers of Congress, this annex describes those issues andNSA' s
response in a more comprehensive, classified manner.
A .

(U ) GeneralComplianceMatters
1.

(U ) Omitted Information from FISA Application

86

SECRET

  

2.

 

(U) 

 

 

3. (U) Training Compliance Incidents

 

 

TOP

B.

(U ) Data -Integrity Issues

( U ) This section provides additional, classified detail to NSA s repeated discovery of
anomalies in the data produced by providers in response to FISA court orders and NSA ' s
response to these incidents.
(U ) Production of Inaccurate First-Hop Numbers

TOP SECRET

  

h}

W?rmluctiun of Inaccurate Data Associated with-

 
 

 

 

 

 

 

 

3. (U) Expanding Accuracy Lead NSA tn Delete All
CD115

 

 

 

 

I .

-- - .. 
.?l'kfl 

 



4. (U) Additional lssuex and Concerns

 

 

 

 

 

 

 

 

 


ix
ppend

A

T)

(l

I