NSA CIA AP 2013
NSA Director Gen. Keith Alexander with CIA Director John Brennan, 2013 Reuters

The National Security Agency made a select amount of information on American citizens available to the Central Intelligence Agency and two other agencies even though it was prohibited by court order, according to documents released Tuesday by National Intelligence Director James Clapper.

The unauthorized dissemination of Americans’ data, including telephone numbers and email addresses and culled from the full phone records database on all domestic and one-end foreign calls, is one of a number of ways in which the NSA misused the database between 2006 and 2009. Though there are authorized reasons the NSA can share information with outside agencies, the dissemination activity revealed in the documents did not fit those criteria.

However, it remains a mystery why the NSA granted the CIA, FBI and National Counterterrorism Center (NCTC) access to the data, because that information was blacked out when the intelligence community released documentation of this violation on Tuesday.

When the Foreign Intelligence Surveillance Court (FISC), which oversees the NSA’s surveillance programs, brought the bulk phone-call data program under its supervision in May 2006, it placed restrictions on how the phone-call data collected by the NSA could be accessed. The documents released Tuesday showed how these rules, known as minimization procedures, were routinely violated for nearly three years until the court was alerted in 2009. The court ordered a review of the program, which resulted in yet more discoveries of noncompliance, including the fact that some information from the database was made available to the CIA, FBI and NCTC through access to a database containing this phone-call data.

When the NSA has a “reasonable, articulable suspicion” that a number is terrorist-related, that “RAS-approved” number can be run against the entire database to determine what other numbers, within three degrees of separation, were in contact with the suspicious number. (Although a separate problem discovered in 2009 was that many of those queries actually went up to four degrees of separation, known as “hops,” meaning thousands or millions more numbers than authorized could have been culled through some of these queries for years.)

While these other agencies did not have access to all information in the database, they were given access to a separate database that contained some information pulled through these database queries. “During the end-to-end review, NSA's Review Team learned that analysts from the Central Intelligence Agency, Federal Bureau of Investigation, and National Counterterrorism Center had access to unminimized BR FISA query results via an NSA counterterrorism target knowledge database,” NSA Director Keith Alexander said in an August 2009 declaration to the FISC, part of a back-and-forth between NSA and the court to resolve the numerous violations revealed earlier that year.

The NSA’s review of the problem found that a total of about 250 analysts at these agencies had access to the database, and about one-third of them accessed the database between 2006 and 2009. NSA certified in August of 2009 that the problem had been fixed.

Though we don’t know why or how this problem occurred – though Alexander’s declaration seems to indicate that NSA officials seemed unaware that minimization procedures need apply to the data placed in this separate database – we do know that aurhotized reasons do not apply. A footnote indicates that “in contrast” to what is described in the blacked-out explanatory portion of the document, the NSA is permitted “to disseminate outside of NSA information identifying U.S. persons if the U.S. person information is necessary to understand foreign intelligence or assess its importance” and that a select number of NSA officials may "approve disseminations of U.S. person identifying information.” But neither of these approved reasons for dissemination applied in this instance.

The documents released Tuesday were the result of litigation by two privacy rights groups, the Electronic Frontier Foundation and the American Civil Liberties Union, whose legal cases were aided by the leaks from former NSA contractor Edward Snowden.