Page 156 - Privacy in a Cyber Age Policy and Practice
P. 156
144 PRIVACY IN A CYBER AGE
NSA analysts examine the following three categories of information to
make the above determination:
They examine the lead information they have received regarding the potential
target or the facility that has generated interest in conducting surveillance to
determine what lead information discloses about the person’s location. For
example, has the target stated that he is located outside the United States?
With whom has the target had direct contact, and what do we know about
the location of such persons? [. . .] They conduct research in NSA databases,
available reports, and collateral information to determine whether the NSA
knows the location of the person, or knows information that would provide
evidence concerning that location. For example, the NSA will review their
own databases as well as databases of other intelligence and law enforcement
agencies to determine if the person’s location is already known. [. . .] They
conduct technical analyses of the facility or facilities to determine or verify
information about the person’s location. For example, the NSA may examine
Internet content repositories for records of previous Internet activity that
may indicate the location of the target.
In addition, the NSA maintains records of telephone numbers and
electronic accounts, addresses, and identifiers that the NSA has reason to
believe are being used by U.S. persons. Before targeting an individual for
surveillance, a telephone number or electronic communications account is
checked against these records in order to ascertain whether the NSA has
reason to believe the target is a U.S. person. 160 However, “in the absence of
specific information regarding whether a target is a U.S. person, a person
reasonably believed to be located outside the United States or whose loca-
tion is not known will be presumed to a be non-U.S. person unless such
person can be positively identified as a U.S. person, or the nature or circum-
stances of the person’s communications give rise to a reasonable belief that
such person is a U.S. person.” 161
Critics contend that these standards and procedures are far from rigorous
and do not satisfactorily ensure that targeted persons are not American
citizens or residents. 162 Numbers are difficult to come by because the intel-
ligence community maintains that it is “not reasonably possible to identify
the number of people located in the United States whose communications
may have been reviewed under the authority” of the FISA Amendments
Act that authorizes PRISM. 163 John D. Bates, the chief judge of the FISC,
has noted that, given the scale of the NSA’s data collection, “the court cannot
know for certain the exact number” of wholly domestic communications
collected under the act. 164
Critics cite an NSA internal audit dated May 2012, which found 2,776
incidents in the preceding twelve months of unauthorized collection,
