Declassified Report Reveals NSA Broke Surveillance Rules

Years after Edward Snowden’s jaw-dropping disclosures of sweeping domestic surveillance, the National Security Agency (NSA) continued to violate key rules limiting the government’s ability to conduct warrantless searches of Americans’ electronic communications, according to a declassified September 2021 federal watchdog report obtained by POGO Investigates. The report also found that the NSA still failed to have a system in place meant to prevent these violations of Americans’ privacy rights, more than half a decade after pledges that internal oversight and agency reforms, made in the months following Snowden’s 2013 disclosures, would curb abuses.

POGO Investigates, the news reporting division of the Project On Government Oversight, obtained and declassified this inspector general report through a Freedom of Information Act lawsuit. It sheds additional light on how the secretive and powerful spy agency, which amasses huge troves of electronic data, has faced challenges protecting civil liberties well after NSA contractor Snowden’s disclosures. The information Snowden revealed gave the public a concerning inside look at how the agency’s expansive surveillance programs worked in practice and how this surveillance put their privacy at risk.

A senior lawmaker on the Senate Judiciary Committee recently cited his frustration with spy agencies claiming that their internal systems are enough to stop improper use of sensitive and private data obtained under Section 702 of the Foreign Intelligence Surveillance Act, or FISA.

“Each time we bring up this issue or another issue related to it,” Senator Mike Lee (R-UT) said during a January hearing, “the arguments go something like this: ‘Yes, there have been problems in the past. Yes, there have been abuses of FISA 702. But you need not worry because we now have procedures in place, administrative procedures that will fix the problem once and for all.”

Sometimes described as the “crown jewel” of America’s surveillance authorities with up to 60% of the President’s Daily Brief in 2023 using information derived from it, according to the intelligence community, Section 702 has detractors across the political spectrum. Those have included Tulsi Gabbard, the current director of national intelligence. At one point, she introduced legislation to repeal Section 702, but later spoke in support of the law in advance of her Senate confirmation last year.

Section 702 expires on April 20 unless Congress renews it, potentially with reforms that Lee and other lawmakers support, although President Donald Trump recently told Republican members of Congress he wants the law extended with no changes. Stephen Miller, Trump’s deputy chief of staff and homeland security advisor, is reportedly a top supporter of extending the law without reforms. (Disclosure: POGO is advocating for reforms to Section 702.)

The debate over Section 702 comes as concerns have been broadly rising about the federal government’s surveillance powers in the context of immigration enforcement. The NSA said in February 2024 that it uses 702 data to vet non-U.S. persons seeking to travel to the U.S., specifically “for counterterrorism purposes.” Two months later, and the last time 702 was renewed, Congress explicitly authorized in statute the use of 702 powers for “the vetting of all non-United States persons who are being processed for travel to the United States.” (Italics added.)

That provision drew concerns from both sides of the aisle, in part because it could drastically expand surveillance. “I fear that codifying this provision — especially without meaningful safeguards — would give those who capitalize on fear and xenophobia an important tool to pursue their agenda,” said Representative Joaquin Castro (D-TX) at the time.

“Unauthorized Queries”

Section 702 allows the NSA to target the electronic communications of people who are not U.S. persons going through U.S.-based electronic communications service providers if there is a reasonable belief those people are out of the U.S. and may be in possession of foreign intelligence information. “U.S. persons” mostly refers to U.S. citizens, lawful permanent residents of the U.S., or “an organization incorporated in the United States (unless incorporated by certain foreign powers),” according to the intelligence community.

(The vetting amendment to the 2024 reauthorization of FISA appears to give the government the ability to use 702 to vet “all” non-U.S. persons traveling to the U.S. and does not require a belief they are in possession of foreign intelligence. NSA did not respond to POGO Investigates’ request for comment.)

But in sweeping up those communications, the agencies end up collecting information on Americans emailing, texting, or calling the non-U.S. persons the agencies target.

The NSA, FBI, CIA, and National Counterterrorism Center can then search through — or query — the 702 data but are supposed to follow certain rules to minimize the chance that Americans’ civil liberties and privacy are violated. These queries are often referred to as “backdoor searches.”

The NSA Office of Inspector General report found that the agency had not finished developing a system for preventing the improper agency querying of “United States person identifiers” in sensitive intelligence data. The report states that this systemic shortcoming, if not addressed, meant the agency was more at risk of “violating civil liberties and individual privacy rights” of Americans.

“As the amount of content and metadata queries performed by NSA analysts increases,” the declassified report warned, “so does the Agency’s risk of analysts performing unauthorized queries.” (Metadata is information about electronic communications such as the date and time an email, call, or text occurred, and who sent and received them.)

The NSA queried intelligence data using terms that were not approved by the agency’s general counsel and didn’t comply with procedures authorized by a special court overseeing the federal government’s foreign surveillance efforts, according to the report. Numerous details, such as the number of queries that didn’t comply with the rules, are redacted.

The most recent publicly available data on the NSA’s compliance with the rules governing querying 702 data covers a period of June 2022 through November 2022 — after the declassified inspector general report was issued internally at the NSA. The compliance data showed errors increased: “During this reporting period, the number of improper queries increased by 7.7 percent, as compared to the prior period.”

The declassified NSA inspector general report examined queries between January 19, 2019, and March 19, 2019, and highlighted two instances where the rules weren’t followed. One NSA analyst reported their own noncompliance after discovering that the daily queries they made over several weeks weren’t approved by the general counsel. In another case, a “post-query review auditor” at the NSA found that an analyst was searching through data outside of the time frame approved by the general counsel.

The inspector general’s office made 13 recommendations to the NSA, which appear to have been closed since the watchdog does not list them as open in its semiannual reporting to Congress.

NSA’s Office of Inspector General responded that POGO Investigates’ queries “would be more appropriately addressed by NSA.” NSA did not respond to multiple queries.

A Controversial “Crown Jewel”

Section 702 has long been controversial across the political spectrum due to privacy concerns and the mass amount of data being swept up by the federal government.

While the government has said the vast majority of the problems associated with Section 702 are administrative snafus, and its defenders say some incidents have been overblown, others say the legal authority is too broad and too unchecked.

“It has been the government’s permission slip for warrantless spying on Americans,” said Brett Tolman, a former U.S. Attorney for Utah and former Senate Judiciary Committee chief counsel, in congressional testimony in December.

Tolman cited two NSA incidents that occurred after the inspector general report was finished. In one, an NSA analyst sought information on two people they met through an online dating service. In another, two NSA analysts sought information on a non-U.S. citizen considering renting a property owned by the analysts.

“This is not national security intelligence gathering; it is domestic spying,” said Tolman, who is the executive director of Right On Crime, a national criminal justice campaign of the Texas Public Policy Foundation, and the chair of the America First Policy Institute’s Law and Justice Campaign.

Even though a 2023 review by the Privacy and Civil Liberties Oversight Board stated there are “relatively” few instances of noncompliance at the NSA, and most are discovered internally, others have sharply criticized the NSA well after Snowden’s disclosures. A 2017 decision by the Foreign Intelligence Surveillance Court called out the NSA for “institutional ‘lack of candor’” because the agency failed to reveal queries violating a prohibition on searching for information on U.S. citizens in certain types of data collected under 702.

That 2023 Privacy and Civil Liberties Oversight Board review explains scenarios where the intelligence community could be interested in information involving U.S. citizens. “With regard to U.S. person queries, they help [intelligence] personnel ‘connect the dots’—that is, uncover plots, identify bad actors, and recognize links between foreign intelligence targets and U.S. persons,” the review states.

Nonetheless, the board found the FBI’s use of 702 of particular concern.

“There was little justification provided to the Board on the relative value of the close to 5 million searches conducted by the FBI from 2019 to 2022,” the board’s 2023 review states. Many of the most recent incidents drawing scrutiny have involved the FBI, such as queries involving the names of a U.S. senator, state lawmakers, a state judge, and Black Lives Matter protestors.

However, last year the Justice Department’s watchdog reported that “the FBI is no longer engaging in the widespread noncompliant querying of U.S. persons that was pervasive just a few years ago.”

According to the most recent publicly available federal data, the FBI’s approved searches of U.S. person terms dropped steeply from 2023 to 2024; however, the NSA, CIA, and National Counterterrorism Center more than doubled their use of approved U.S. person query terms from 3,755 terms in 2023 to 7,845 terms in 2024. Due to a lag in agency reporting on compliance, it is publicly unknown how many times these agencies’ searches violated the rules in recent years.

Two senators have recently introduced a bipartisan bill that would reauthorize the law with more safeguards, such as requiring a warrant before agencies can access the content of Americans’ communications.

“Section 702 is a valuable tool to help keep our nation safe,” said Senator Dick Durbin (D-IL) in a February 23 statement introducing the Section 702 reform bill he is co-sponsoring with Senator Lee. “However, it’s being used to conduct thousands of warrantless searches of Americans’ private communications. That’s unacceptable.”

Advocates are also pushing back on reauthorizing 702 without reforms.

“The widespread and continuing failures to honor privacy protections should give lawmakers pause as the government once again asks Congress to entrust the government with immense quantities of Americans’ private data,” said Elizabeth Goitein, the senior director of the Brennan Center for Justice’s Liberty and National Security program, in congressional testimony this January. “Warrantless access to Americans’ private communications is an invitation to governmental overreach and abuse under any administration.”