In general, however, the FISC and Congress have to rely on the NSA or DOJ to report any violations of FISA; NSA, effectively, gets to police itself.While the government claims it does a good job self-policing, the court hasn't always agreed. Even before the FISA Amendments Act passed, the government reorganized PRISM without telling judge Reggie Walton, who was overseeing a challenge to that program. A year later, judge Thomas Hogan was surprised to learn the NSA hadn't been reporting all violations to the court, reporting only systematic ones or specific misrepresentations the government made to the court. After the government revealed two different systematic problems in 2009 and a third in 2011, affecting three different programs, FISC judge John Bates complained about "the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program." And after several delayed notifications last fall and this spring, Rosemary Collyer scoffed at the government's excuses for two different eleven- and five- month delays in notifying the FISC of violations. "Too often, however, the government fails to meet its obligation to provide prompt notification to the FISC when noncompliance is discovered.""Too often, however, the government fails to meet its obligation to provide prompt notification to the FISC when noncompliance is discovered"
The problems with upstream collection started in 2004, years before the FISA Amendments Act was passed. The government got the FISC to approve collection of what it claimed was only metadata off the telecom switches to replace the Internet dragnet part of President Bush's Stellar Wind program. But in approving the collection, judge Colleen Kollar-Kotelly limited which categories of data the NSA could obtain. Within three months, the government violated those category restrictions. So Kollar-Kotelly imposed twice quarterly "spot checks" to make sure NSA didn't continue to violate those restrictions—roughly 25 spot checks were performed between 2004 and 2009.In 2009, in the wake of problems in the phone dragnet program, Reggie Walton made the NSA conduct an end-to-end review of the internet dragnet to look for problems. Yet it wasn't until, in response to a Walton order, NSA's Inspector General started investigating the internet dragnet that the NSA finally told the FISC that "virtually every … record generated [by the bulk Internet metadata program] included some data that had not been authorized for collection," As Bates observed when laying out NSA's remarkable failures to find these ongoing violations, "those responsible for conducting oversight at NSA failed to do so effectively."Virtually every … record generated [by the bulk Internet metadata program] included some data that had not been authorized for collection"
In another instance, FISC made NSA double check that data collected during a period when its post-collection checks ensuring targets really were located overseas were on the fritz, to make sure that targets hadn't entered the US while they were targeted.But the important precedent to FISC's policing of exclusive means is another upstream collection problem. In 2011, after four years, the government first told the FISC that when it conducted "about" collection (searching for emails that refer to Osama bin Laden's phone number), it sometimes got entire bundles of communication. Sometimes those bundles included communications that were entirely domestic. Mind you, as part of that disclosure process, the NSA revealed it collected a whole bunch more domestic communications that weren't bundled but that because they mentioned Osama bin Laden's phone number (or whatever selector), were at least interesting to the NSA. But those other bundled domestic communications were particular problematic because they broke the rules and weren't of interest.So for four years, the NSA had been collecting entirely domestic communications that fit no intelligence purpose without telling the court. When he learned about it, Bates did what he had done the year before—he told the NSA they couldn't use the data that violated the rules, and within a year, the NSA deleted it.For four years, the NSA had been collecting entirely domestic communications that fit no intelligence purpose without telling the court
It took three years after identifying the problem before NSA figured out just how bad it was.And it was bad. For one tool used to do back door searches on Americans targeted by individual FISA warrants who were located overseas, 85% of queries were not compliant, often because they targeted those people for periods when spying wasn't authorized by a FISA warrant, as the FISA Amendments Act requires they be. In addition, over the course of six months of review, the NSA couldn't even find all the places it had stored upstream content that might have been improperly switched.So at the end of that six month period (this brings us to April 2017), Collyer approved a proposal offered by Trump's appointees she claimed was a fix. Rather than prohibiting back door searches of content known to include entirely domestic communications, the NSA would just stop doing the most problematic kind of upstream collection, the "about" collection that can result in bundled communications including entirely unrelated communications. With that change, Collyer for the first time approved back door searches on upstream collection, without even consulting an amicus, which was arguably required by the USA Freedom Act, a 2015 law that required the court to explain why it didn't use an amicus when considering significant issues."It will still be possible for the NSA to acquire [a bundled communication] that contains a domestic communication."
Worse still, Collyer let the government keep the data and derivative reporting, even without an assessment of whether the underlying records included domestic communications that could not be retained without an individualized waiver. "Certain records derived from upstream internet communications…will be retained by NSA, even though the underlying raw Internet transactions from which they are derived might be subject to destruction." Some of these records were used to get FISA applications on US persons, precisely the kind of use of improperly collected data that FISA exclusivity criminalizes.Collyer's three immediate predecessors as presiding judge—John Bates, Reggie Walton, and Thomas Hogan—had all used the precedent established by Bates to force the NSA to destroy any data it obtained while breaking the rules. Even while Collyer reviewed the NSA's fulfillment of their prior orders to destroy such data, she imposed no such restriction herself. The NSA got to keep the fruit of those searches, and may still be spying on Americans as a result.In the weeks ahead, Congress will begin debating reauthorization of the FISA Amendments Act. The government insists Congress shouldn't make any changes, not even codifying the prohibition on "about" collection that related to a decade of violations, something a draft bill attempts to do, according to the New York Times."As demonstrated in numerous declassified court opinions and other materials, the FISC exercises rigorous independent oversight of activities conducted pursuant to Section 702 to ensure that incidents of non-compliance are addressed through appropriate remedial action," the government's letter to Congress claims, in spite of all the evidence that oversight, even from more aggressive judges, has been insufficient. The government also continues to dodge questions about how Section 702 can collect entirely domestic communications, as admitted by Collyer, and how many Americans it sucks in because Americans are talking to targeted foreigners. To justify a straight reauthorization, the government will claim the program fixes its problems.The truth, however, is NSA has struggled to follow the rules of Section 702 for almost a decade.To justify a straight reauthorization, the government will claim the program fixes its problems