TOP ~ECRET/}SI{fNOFOft:N

(U) As part of the government's response to recent unauthorized disclosures, the government iscurrently conducting a review of the information contained in this report to determine theappropriate level of classification. If, following that review, new classification determinations aremade that affect how this report is marked for classification purposes, a revised version of thisreport will be issued with updated classification markings.

August 2013

Reporting Period: June 1, 2012 - November 30, 2012

(U) SEMIANNUALASSESSMENT OF COMPLIANCE WITH PROCEDURES ANDGUIDELINES ISSUED PURSUANT TO SECTION 702 OF THE FOREIGN INTELLIGENCE

SURVEILLANCE ACT, SUBMITTED BY THE ATTORNEY GENERAL AND THEDIRECTOR OFNATIONAL INTELLIGENCE

TOP SECR:ETHSt//NOFOItN

Tor 8ECftE'ffISl/fNOFORN

A-I

37

(U) Appendix A

(U) Section 5: Conclusion

3636

2835

23Compliance Incidents - GeneralReview of Compliance Incidents - NSA Targeting andMinimization ProceduresReview of Compliance Incidents- CIA Minimization ProceduresReview of Compliance Incidents - FBI Targeting andMinimization ProceduresReview of Compliance Incidents - Provider Incidents

22

(U) I.~II.

~III.-fSt IV.

~V.

(U) Section 4: Compliance Assessment - Findings

141720

Trends in NSA Targeting and MinimizationTrends in FBI Targeting and MinimizationTrends in CIA Minimization

14

iS1 I.1S) II.

(Sl/~JF) HI.

(u/1F'tJt:te} Section 3: Trends in Section 702 Targeting and Minimization

6891111

Joint Oversight ofNSAJoint Oversight of CIAJoint Oversight of FBIInteragencylProgrammatic OversightOther Compliance Efforts

5

~1.(S/~W) ll.

ts1 III.~ IV.~V.

(U) Section 2: Oversight of the Implementation of Section 702

3(U) Section 1: Introduction

2(U) Executive Summary

TABLE OF CONTENTS

August 2013

(U) SEMIANNUAL ASSESSMENT OF COMPLIANCE WITH PROCEDURES ANDGUIDELINES ISSUED PURSUANT TO SECTION 702 OF THE FOREIGN

INTELLIGENCE SURVEILLANCE ACT, SUBMITTED BY THE ATTORNEY GENERALAND THE DIRECTOR OF NATIONAL INTELLIGENCE

TOP S~C~Tf/SI/tNOFOR:.~

TOP SECR:ETlISIIINOFORN2

(U/~ This Joint Assessment fmds that the agencies have continued to implement theprocedures and follow the guidelines in a manner that reflects a focused and concerted effort byagency personnel to comply with the requirements of Section 702. The personnel involved inimplementing the authorities are appropriately focused on directing their efforts at non-UnitedStates persons reasonably believed to be located outside the United States for the purpose ofacquiring foreign intelligence information. Processes are in place to implement these authorities

(Sl/tiF) The joint team has found that a vast majority of compliance incidents reported inthe Section 707 Reports have been self-identified by the agencies, sometimes as a result ofpreparation for the joint reviews. In discussing compliance incidents in this SemiannualAssessment (hereinafter also referred to as the Joint Assessment), the focus is on incidents that havethe greatest potential to impactUnited States persons' privacy interests; intra- and interagencycommunications; the effect of human errors on the conduct of acquisition; and the effect oftechnical issues on the conduct of acquisition.

(U) Compliance assessment activities have been jointly conducted by NSD and ODNI.Specifically, the joint team consisted of members from NSD, ODNI's Civil Liberties and PrivacyOffice (CLPO), ODNI's Office of General Counsel (OGe), and ODNI's Office of the DeputyDirector for Intelligence IntegrationiMission Integration Division (DD/II/MlD). NSD and ODNIhave assessed the oversight process used since Section 702 was implemented in 2008, and haveidentified improvements in the Intelligence Community personnel's awareness of and compliancewith the restrictions imposed by the statute, targeting procedures, minimization procedures and theAttorney General Guidelines.

(U) The FISA Amendments Act of 2008 (hereinafter "FAA") requires the Attorney Generaland the Director of National Intelligence to assess compliance with certain procedures andguidelines issued pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978,50 U.S.C. § 1801 et seq., as amended, (hereinafter "FISA" or "the Act") and to submit suchassessments to the Foreign Intelligence Surveillance Court (FISC) and relevant congressionalcommittees at least once every six months. This report sets forth the Department of Justice,National Security Division (NSD) and Office of Director of National Intelligence's (ODNI) ninthjoint compliance assessment under Section 702, covering the period Julie 1,2012, throughNovember 30,2012 (hereinafter the "reporting period"). This report accompanies the SemiannualReport of the Attorney General Concerning Acquisitions under Section 702 of the ForeignIntelligence Surveillance Act, which was submitted as required by Section 707(b)(I) ofFISA(hereinafter ''the Section 707 Report") on March 11,2013, and covers the same reporting period.

(m EXECUTIVE SUMMARY

Reporting Period: June 1, 2012 - November 30, 2012

August 2013

(U) Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuantto Section 702 of the Foreign Intelligence Surveillance Act, Submitted by the Attorney

General and the Director of National Intelligence

'fOP SECItE'ftlSlftNOf'OItN

TOP SECRETHSlIfNOFORN3

I (U) This report accompanies the Semiannual Report of the Attorney General Concerning Acquisitions under Section702 of the Foreign Intelligence Surveillance Act, which was previously submitted on March 11,2013, as required bySection 707(b)( I)of FISA, and covers the same reporting period.

(1) may not intentionally target any person known at the time of acquisition to belocated in the United States;

(2) may not intentionally target a person reasonably believed to be located outside theUnited States if the purpose of such acquisition is to target a particular, knownperson reasonably believed to be in the United States;

(3) may not intentionally target a United States person reasonably believed to belocated outside the United States;

(4) may not intentionally acquire any communication as to which the sender and allintended recipients are known at the time of the acquisition to be located in theUnited States; and

An acquisition authorized under subsection (a)-

(U) Section 702 requires that the Attorney General, in consultation with the DNI, adopttargeting and minimization procedures, as well as guidelines. A primary purpose of the guidelinesis to ensure compliance with the limitations set forth in subsection (b) of Section 702, which are asfollows:

(U) The FISAAmendments Act of 2008, relevant portions of which are codified at50 U.S.C. §1881- 1881g (hereinafter "FAA"), requires the Attorney General and the Director ofNational Intelligence (DNI) to assess compliance with certain procedures and guidelines issuedpursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978,50 U.S.C. § 1801 etseq., as amended (hereinafter "FISA" or "the Act"), and to submit such assessments to the ForeignIntelligence Surveillance Court (FISC) and relevant congressional committees at least once everysix months. As required by the Act, a team of oversight personnel from the Department of Justice'sNational Security Division (NSD) and the Office of the Director of National Intelligence (ODNI)have conducted compliance reviews to assess whether the authorities under Section 702 of FISA(hereinafter "Section 702") have been implemented in accordance with the applicable proceduresand guidelines, discussed herein. This report sets forth NSD and ODNI's ninth joint complianceassessment under Section 702, covering the period June 1,2012, through November 30, 2012(hereinafter the "reporting period").I

(U) SECTION 1: INTRODUCTION

and to impose internal controls for compliance and verification purposes. The compliance incidentswhich occurred during the reporting period represent a very small percentage of the overallcollection activity, which has increased from the last Joint Assessment. Individual incidents,however, can have broader implications, as further discussed herein and in the Section 707 Report.Based upon a review of these compliance incidents, the joint team believes that none of theseincidents represent an intentional attempt to circumvent or violate the Act, the targeting orminimization procedures, or the Attorney General's Acquisition Guidelines.

TOP SECR:E'ffISlfINOFOltN

TOP SKCRKTU8J1,£NOFOR:.~

2 (SlA'4F) The other agency involved in implementing Section 702 is the National Counterterrorism Center (NCTC),which has a limited role, as reflected in the recently approved "Minimization Procedures Used by NCTC in connectionwith Lnformation Acquired by the FBI pursuant to Section 702 ofFISA, as amended." Under these limitedminimization procedures, NCTC is not authorized to receive unminimized Section 702 data. Rather, these proceduresrecognize that, in light of NCTC's statutory counterterrorism role and mission, NCTC has been provided access tocertain FBI systems containing minimized Section 702 information, and prescribe how NCTC is to treat thatinformation. For example, because NCTC is not a law enforcement agency, it may not receive disseminations ofSection 702 information that is evidence of a crime, but which has no foreign intelligence value; accordingly, NCTC'sminimization procedures require in situations in which NCfC personnel discover purely la~ enforcement informationwith no foreign intelligence value in the course of reviewing minimized foreign intelligence information that the NCTCpersonnel either purge that information (if the information has been ingested into NCTC systems) or not use, retain, ordisseminate the information (if the information has been viewed in FBI systems). No incidents of noncompliance with

4

"'(SIINF)-Three agencies are primarily involved in implementing Section 702: the NationalSecurity Agency (NSA), the Federal Bureau of Investigation (FBI), and the CentrallntelligenceAgency (CLA).2 An overview of how these agencies implement the authority appears in AppendixA of this assessment.

onwas targeting muunuzatron , which featured modifications from thetargeting and minimization procedures used in previous certifications. The Attorni!jiiiilGeneral'sAcquisition Guidelines applicable for each certification remained unchanged. On2012, the FISC held that the targetinljnd minimization procedures met all statutory anConstitutional requirements. These certifications, and all associated documents werepreviously provided to the congression committees on September 28, 2012, and as attachments tothe Semiannual Report of the Attorney General Concerning Acquisitions under Section 702 ofFISA, March 2013, submitted as required by Section 707(b)(1) ofFISA (hereinafter the "Section707 Report") filed on March 11, 2013.

(TSNStffl~f) During the reporting period, the Attorney General and ONI reauthorizedSection 702(g) certifications, all of which reauthorized previous certifications.201 the FISC these reauthorization certifications.

These guidelines, the Attorney General's Guidelines for the Acquisition of Foreign IntelligenceInformation Pursuant to the Foreign Intelligence Surveillance Act of 1978, as amended (hereinafter"the Attorney General's Acquisition Guidelines"), were adopted by the Attorney General inconsultation with the ONIon August 5, 2008.

(5) shall be conducted in a manner consistent with the fourth amendment to theConstitution of the United States.

TOP SE€RET{/SIh'NOFOR.~

TOP SECRETHSIUNOFORN5

3 (U/~ In November 2012, during [mal review of the prior Assessment, the NSA Office of Inspector Generalshared with NSD and ODNI the results of its study ofNSA's management controls of its Section 702 program. TheOffice of the inspector General subsequently revised its study inMarch 2013. NSD and ODNI are currently reviewingthese results and will incorporate any relevant additional information resulting from the review in the next JointAssessment.

the NCTC minimization procedures were identified during this reporting period. The joint oversight team will beassessing NCTC's compliance with its minimization procedures in the next reporting period.

-(g/~w)'" The implementation of Section 702 is a multi-agency effort. As described in detailin Appendix A, NSA and FBI each acquire certain of data to their own Section 702

•

f rocedures. NSA, FBI, and CIAeach handle Section . ta in WI own

pro s. There are differences in the way each agency implements its procedures resulting fromunique provisions in the procedures themselves, differences in how these agencies utilize Section702-acquired data, and efficiencies from using preexisting systems to implement Section 702

(U) SECTION 2: OVERSIGHT OF THE IMPLEMENTATION OF SECTION 702

(U//~ In summary, the joint team finds that the agencies have continued to implementthe procedures and follow the guidelines in a manner that reflects a focused and concerted effort byagency personnel to comply with the requirements of Section 702 during this reporting period. Asin the prior Joint Assessments, the joint team has not found indications in the compliance incidentsthat have been reported or otherwise identified of any intentional or willful attempts to violate orcircumvent the requirements of the Act. The number of compliance incidents remains small,particularly when compared with the total amount of targeting and collection activity. To reducethe number of future compliance incidents, the Government will continue to focus on measures toimprove communications, training, and monitoring of collection systems, as well as monitor purgepractices and withdrawal of disseminated reports as may be required.' Further, the joint oversightteam will also monitor agency practices to ensure appropriate remediation steps are taken toprevent, whenever possible, reoccurrences of the types of compliance incidents discussed hereinand in the Section 707 Report.

(U/!~ Section Two of this Joint Assessment provides a comprehensive overview ofoversight measures the Government employs to ensure compliance with the targeting andminimization procedures, as well as the Attorney General's Acquisition Guidelines. Section Threecompiles and presents data acquired from the joint oversight team's compliance reviews in order toprovide insight into the overall scope of the Section 702 program, as well as trends in targeting,reporting, and the minimization of United States person information. Section Four describescompliance trends. All of the specific compliance incidents for the reporting period have beenpreviously described in detail in the Section 707 Report. As with the prior Joint Assessments, someof those compliance incidents are analyzed here to determine whether there are patterns or trendsthat might indicate underlying causes that could be addressed through additional measures, and toassess whether the agency involved has implemented processes to prevent recurrences.

'fOP SECRE'f'IISIfINOFORN

TOP Si;CRETIISIHNOFORN6

~ection 702 authorizes the targeting of non-United States persons reasonably believed to be located outside theUnited States. This targeting is effectuated by tasking communication facilities (also referred to herein as "selectors"),including but not limited to telephone numbers and electronic communications accounts, to Section 702 electroniccommunication service providers. A fuller description of the Section 702 targeting process may be found in theAppendix.

October 1, 2012 - November2012

December 11,2012

Applicable CertificationsDate of Review

August 1,2012 - September2012

Figure 1: ~ NSA Reviews

NSA:

(TS//SJlfll'W) NSD and ODNI's joint oversight ofNSA' s implementation of Section 702consists of .. . reviews, which NSA's targeting procedure~

as well as the investigation and reporting~mpliancereportmg period, NSD and ODNI conducted the following onsite reviews at

(Sh'NF) Under the process established by the Attorney General and Director of NationalIntelligence's certifications, all Section 702 targeting is initiated pursuant to the NSA's targetingprocedures. Additionally, NSA is responsible for conducting post-tasking technical checks of allSection 702-tasked communication facilities" once collection begins. NSA must also minimize itscollection in accordance with its minimization procedures. Each of these responsibilities is detailedin Appendix A. Given its central role in the Section 702 process, NSA has devoted substantialoversight and compliance resources to monitoring its implementation of the Section 702 authorities.NSA's internal oversight and compliance mechanisms are further described in Appendix A.

""tSftNIi} (. Joint Oversight of NSA

(U) A joint team has been assembled to conduct compliance assessment activities,consisting of members from NSD's Office of Intelligence (OI), ODNI's Civil Liberties and PrivacyOffice (CLPO), ODNI's Office of General Counsel (ODNI OGC), and ODNl's Office of theDeputy Director for Intelligence IntegrationlMission Integration Division (ODNI DD/lIfMID). Theteam members play complementary roles in the review process. The following describes theoversight activities of the joint team, the results of which, in conjunction with the internal oversightconducted by the reviewed agencies, provide the basis for this Joint Assessment.

authorities. Because of these differences in practice and procedure, there are correspondingdifferences in both the internal compliance programs each agency has developed and in the externaloversight programs conducted by NSD and ODNI.

TOP SECRETIISIHNOFORN

TOP SECRETfIStHNOFOItN7

(SN~lF) The joint oversight team also investigates and reports incidents of noncompliancewith the NSA targeting and minimization procedures, as well as with the Attorney GeneralAcquisition Guidelines. While some of these incidents may be identified during the reviews, mostare identified by NSA analysts or by NSA's internal compliance program. NSA is also required toreport certain events that may not be compliance incidents (e.g., NSA must report any instance inwhich a targeted individual is found to be located in the United States, a circumstance which is onlya compliance incident ifNSA knew or should have known the target was in the United States duringthe collection period), but the report of which may lead to the discovery of an underlyingcompliance incident. Investigations of all of these incidents often result in requests forsupplemental information. All compliance incidents identified by these investigations are reportedto the congressional committees in the Section 707 Report, and to the FISC through quarterlyreports or individualized notices.

(S/INf) The joint oversight team also reviews NSA 's minimization of Section 702-acquireddata. The team reviews a large sample of the serialized reports that NSA has disseminated andidentified as containing Section 702-acquired United States person information. NSD and ODNIalso review a sample ofNSA disseminations to certain foreign government partners made outside ofits serialized reporting process. These disseminations consist of information that NSA hasevaluated for foreign intelligence and minimized, but which may not have been translated intoEnglish. In addition to the dissemination review, NSD and ODNI also review NSA's querying ofunminimized Section 702-acquired communications using United States person identifiers.

-{S/.£N14. During the onsite review, the joint oversight team examines the citeddocumentation underlying these identified tasking sheets, together with NSA Signals IntelligenceDirectorate (SID) Oversight and Compliance personnel, NSA attorneys, and other NSA personnelas required, to ask questions, identify issues, clarify ambiguous entries, and provide guidance onareas of potential improvement. Interaction continues following the onsite reviews in the form of e­mail and telephonic exchanges to answer questions and clarify issues.

(S/~W) The review process for NSA targeting begins well before the onsite review. Priorto each review, NSA electronically sends the tasking record (known as a tasking sheet) for eachselector tasked during the review period to NSD and OONI. Members of the joint oversight teamreview tasking sheets and then NSD prepares a detailed report of the findings, which they sharewith the ODNI members of the review team. During this initial review, NSD attorneys determinewhether the tasking sheets meet the documentation standards required by NSA's targetingprocedures and provide sufficient information for the reviewers to ascertain the basis for NSA'sforeignness determinations. For those tasking sheets that, on their face, meet the standards andprovide sufficient information, no further supporting documentation is requested. The jointoversight team then identifies the tasking sheets that, without further review of the citeddocumentation, did not provide sufficient information, and either sets forth its questions for eachselector or requests that NSA provide the cited documentation for review.

Reports for each of these reviews, which document the relevant time period of the review, thenumber and types of selectors, the types of information that NSA relied upon, and a detailedsummary ofthe findings for that review period, have been provided to the congressional committeeswith the Section 707 Report, as required by Section 707(b )(1)(F) of FISA.

TOP SECRETfISIHNOFORN

TOP S~CRliT/}Sl/tNOFOR~8

(g,lfWf) In addition to the bimonthly reviews, the joint oversight team also investigates andreports incidents of noncompliance with the CIA minimization nr",,,,,,,111r.,,,,,General Gu ·UVJ'.l.u'J~

(S/flqF) As a part of the onsite reviews, the joint oversight team examines documentsrelated to CIA's retention, dissemination, and querying of Section 702-acquired data. The teamreviews a sample of communications acquired under Section 702 and identified as containingUnited States person information that have been minimized and retained by CIA. Reviewers ensurethat communications have been properly minimized and discuss with the analyst issues involvingthe proper application of the minirnization procedures. The team also reviews all disseminations ofinformation acquired under Section 702 that CIA identified as potentially containing United Statesperson information. NSD and ODNI also review CIA's written justifications for all queries usingUnited States person identifiers of the content of unminirnized Section 702-acquiredcommunications.

Reports for each of these reviews have previously been provided to the congressional committeeswith the Section 707 Report, as required by Section 707(b)(1)(F) ofFISA.

Date of Visit Minimization ReviewedAugust 22, 2012 June 1,2012 - July 31, 2012October 24, 2012 August 1, 2012 - September

30,2012December 19,2012 October 1, 2012 - November

31,2012

(SIINF) NSD and ODNI also conduct periodic compliance reviews of CIA's application ofits minimization procedures approximately once every two months. For this reporting period, NSDand ODNI conducted the following onsite reviews at CIA:

Figure 2: ~ CIA Reviews

• •• •

VISItS are ill

established internal compliance mechanisms andlementation of its Section 702 authorities.

(SfIf.ff) As further described in detail in Appendix A, although CIASection 702 to NSA.

(S/INP) ll. Joint Oversight of CIA

TOP SECRETIISI/INOFORN

TOP S~CRI!)TI/SI/INOf'O:RN9

'"'V.cL.VU....'"'"'" programprogram are to ensure FBI's compliance with statutory and procedural

requirements for each of these three roles. Each of the roles discussed above, as well as the FBI'sinternal compliance program, are set forth in further detail inAppendix A.

(8//P>tF)FBI fulfills three separate roles in the implementation of Section 702.authorized under the certifications to

(S//NF) ill. Joint Oversight of FBI

Office and CIA OGC, and when necessary, may involve requests for further information, meetingswith CIA legal, analytical, andlor technical personnel, or the review of source documentation. Allcompliance incidents identified by these investigations are reported to the congressional committeesin the Section 707 Report, and to the FISC through quarterly reports or individualized notices.

TOP SECRETIfSII/NOFOR:."'1

TOP SECRETHSI/,tNOFORN10

~S/~lf) Subsequent to the reporting period for this assessment, NSD expanded it minimization reviews in FBI reviewoffices to also examine retention and dissemination decisions made by FBI field office personnel. A full description ofthese new oversight reviews and the results of such reviews will be included in the next Joint Assessment.

(Slft<IF)'The joint oversight team also investigates potential incidents of noncompliancewith the FBI targeting and minimization procedures, the Attorney General's Acquisition Guidelines,or other agencies' procedures in which FBI is involved. These investigations are coordinated withFBI OGe and may involve requests for further information, meetings with FBI legal, analytical,and/or technical personnel, or review of source documentation. All compliance incidents identified

atincluding Section

-(S//~fF1With respect to minimization, thejoint oversight team reviewsdocuments related to FBI's .. of its minimization Theof communications that FBI

with

-H'jfff"tt'-r In conducting the targeting review, the joint oversight team reviews the targetingthe FBI and . personnel involved in the process, together

documentation. The iteam reviews every_ The joint oversight team also reviews a "'.....~..,"..,~ance issues. FBI analysts and supervisory are available to answer questions, andprovide supporting documentation. The joint oversight team provides guidance on areas ofpotential improvement.

Reports for each of these reviews have previously been provided to the congressional committeeswith the Section 707 Report, as required by Section 707(b)(1)(F) ofFISA.

November 2012 taskings;October 2012 -November2012 minimization

Date of Visit

Figure 3: ~ FBI Reviews

TOP SECItE'f'llStlINOFORN

TOP S~CR~TIISIHNOFOR:N

(U) V. Other Compliance Efforts

(Sh'tiF) NSO and OONI's programmatic oversight also involves efforts to proactivelyminimize the number of incidents of noncompliance. For example, NSO and OONI have requiredagencies to demonstrate to thejoint oversight team new or substantially revised systems involved inSection 702 targeting or minimization prior to implementation. NSO and ODNI personnel alsocontinue to work with the agencies to review, and where appropriate seek modifications of, theirtargeting and minimization procedures in an effort to enhance the Government's collection offoreign intelligence information, civil liberties protections, and compliance.

(Sm~F) Because the implementation and oversight of the Government's Section 702authorities is a multi-agency effort, investigations of particular compliance incidents may involvemore than one agency. The resolution of particular compliance incidents can provide lessonslearned for all agencies. Robust communication among the agencies is required for each toeffectively implement its authorities, gather foreign intelligence, and comply with all legalrequirements. For these reasons, NSO and OONI conduct bimonthly meetings with representativesfrom all agencies implementing Section 702 authorities to discuss and resolve interagency issuesaffecting compliance with the statute and applicable procedures.

(SHNF) IV. InteragencyIProgrammatic Oversight

by these investigations are reported to the congressional committees in the Section 707 Report, andto the FISC through quarterly reports or individualized notices.

'fOP SECRE'f'h'StI/NOf'ORN

TOP SECUTNSl/fNOFORN12

TOP SECRETHStl/NOFORN

TOP SECRETIISIHNOFOItN13

FBI's minimization procedures had already provided that agency the ability to use ___In the course of its FBI field office reviews over the last several ye~FBI's

(S/INF) In addition to specific instructions to personnel directly involved in the incidents ofnoncompliance discussed in Section 4, the agencies and the joint oversight team have also beenengaged in broader training efforts to ensure compliance with the targeting and minimizationprocedures. NSA is currently updating its compliance training course and consolidating its onlinetraining materials. CIA continues to provide regular FISA training at least twice a year to all of theattorneys it embeds with CIA operational personnel. CLAhas also revised its initial training for itsother personnel to better explain how to apply the legal standards to real world situations. FBI, inconjunction with its broader roll-out of its formal Section 702 nomination program, hassubstantially expanded its training program during this reporting period. After consultation withNSD and ODNI, FBI implemented an online training program regarding nominations and the

(U) D. Training

('fSffSb'ftqF) As reported in the last semiannual assessment, NSA minimization proceduresnow permit NSA to query its databases containing telephony and non-upstream electroniccommunications using United States person identifiers in a manner designed to find foreignintelligence information. Similarly, CIA's minimization procedures have been modified to makeexplicit that CIA may also query its databases using United States person identifiers to yield foreignintelligence information' As discussed above in the descriptions of the joint oversight team'sefforts at each agency, the joint oversight team conducts reviews of each agency's use of its abilityto query using United States person identifiers. To date, this review has not identified any incidentsof noncompliance with respect to the use of United States person identifiers; as discussed in Section4, the agencies' internal oversight programs have, however, identified isolated instances in whichSection 702 queries were inadvertently conducted using United States person identifiers.

('f'SIISIHNF) B. Query Processes Using United States Person Identifiers

TOP SECRE'fY/SIh'NOFORN

TOP SECR:ETlISIHNOFORN14

(Tg/lglllNf) NSA reportscollection pursuant to Certifications~ay during the reporting peri represents an_ selectors under collection on any given day in the reporting period.IS comparable to the rate of increase in the prior reporting periods, which wererespectively. As Figure 4 demonstrates, with one exception, the average numbercollection has increased every reporting period.

(SHNIij I. Trends in NSA Targeting and Minimization

(S/It~F) In conducting the above-described oversight program, NSD, ODNI, and theagencies have collected a substantial amount of data regarding the implementation of Section 702.In this section, a comprehensive collection of this data has been compiled in order to identifyoverall trends in the agencies targeting, minimization, and compliance.

(u/~ SECTION 3: TRENDS IN SECTION 702TARGETING AND MINIMIZATION

requirements of the ; FBI already had an online training regardingcompliance with its on muumizanon procedures. NSD and FBI have also conductednumerous in-person trainings at FBI field offices.

TOP SECItE'f'ffSlflNOFOItN

TOP S~CRET/JSlHNOFORN15

11 (ShQ>JF')For 2008 and 2009, the chart includes taskings under the last Protect America Act of 2007 (PAA)certification, Certification 08-0 I, which was not replaced by a Section 702(g) certification until early April 2009.

10 (S/;~~F)The term newly tasked selectors refers to any selector that was added to collection under a certification. Thisterm includes any selector added to collection pursuant to the Section 702 targeting procedures; some of these newlytasked selectors are therefore selectors that had been previously tasked for collection, were detasked, and now have beenretasked.

(TS/,l8YfNF) Figure 5 charts the total monthly numbers of newly tasked facilities sincecollection pursuant to Section 702 began in September 2008.II

i'fSIfSfh'NF~ The above statistics describe the average number of selectors under collectionat any given time during the reporting period. The total number of newly tasked selectors duringthe reporting period provides another useful metric. 10 NSA . documentation o~ newtaskings during the reporting period. This in new taskings fro:theprevious reporting period. Additionally, new taskings in the currentreporting period were telephone numbers; remammg of the newly-taskedselectors were electronic communications accounts.

increase. The rate of increase may accelerate now that FBI has made its nomination process morewidely available to its field office personnel.

TOP S~CRETtlSIJ/NOFOR'I

TOP SECRETHSIHNOFOIl.'I16

(TS/t81/~f).. With respect to minimization, for this reporting period NSA identified to NSDand ODNI_ serialized reports baslid u on minimized Section 702- or Protect America Act(PAA)-acq~ata. This represents increase from the such serialized reports NSAidentified in the prior reporting period. As emonstrated by FiJ!l!lWhich reflects NSA reportingsince late 2009, this increase represents a continuation of the overall increase in the number ofreports based on Section 702- and PAA-acquired data since collection pursuant to these authoritiesbegan.

As the chart demonstrates, the number of newly tasked telephone numbers decreased after 2009, butbegan to increase again in 2012. The number of numbers tasked each month forthe first II months of 2012• As has been the case SInce program wascommunication accounts has continued to increase. The average number of electroniccommunications accounts tasked each month for the first II months of 2012wasincrease from the prior year.

TOP SECRETflSllfNOFORN

TOP SECRETIISI/INOFORN17

I~ NSA generally "masks" United Stales person information by replacing the name or other identifying informationof the United States person with a generic term, such as "United States person #1." Agencies may request that NSA"unmask" the United States person identity. Prior to such unmasking, NSAmust determine that the United Statesperson's identity is necessary to understand the foreign intelligence information.

FBI reports

Trends in FBI Targeting and Minimization

reportmgsena reports as person information derived from Section 702- orPAA-acquired data. NSD and ODNI's review revealed that in the vast majority of circumstances,the United States person information was at least initially masked. 12 The percentage of reportscontaining United States person information has remained lowat_ for this reporting period,decreasing at a marginal rate o~ from the prior reporting period.'Additionally, for the pastthree reporting periods the num~ serialized reports issued by NSA without United States personinformation has grown at a far greater rate than the number of serialized reports issued containingUnited States person information.

TOP SECR£TIISII/NOFORN

TOP 8ECRETIISIIINOFOR:.~18

1~li),L.q.H7Although FBI acquired pursuant to Section 702 prior to April 2009, statistics areprovided from April 2009 forward~tracking selectors designated and approved changed as of thisdate. The "2009 Average" reflected in the table therefore reflects only the average number of accounts from Aprilthrough December 2009.

during the reporting period, approximatelyuisitions. The . Joint Assessment rprlnrtpri

TOP SECRETHSIHNOFORN

'for SECRETIIStHNOFOaN19

(S.(l~~f)InOctober 2009, FBI began to retain Section 702-acquired data in its systems. FBJidentifies for the joint oversight team all disseminations of Section 702 data containing UnitedStates person information. Figure 8 below compiles the number of disseminated reports containingUnited States person information identified for these reviews for the last six review periods.

(g/~W, Figure 7 shows that the percentage of designated accounts ..,...r'..,..,'''~''''has been consistently high. FBI may not approve the acquisitiondesignated account for several reasons, including withdrawal of e potentiadata to be acquired is no longer of foreign intelligence interest, or because FBI has uncoveredinformation causing NSA andlor FBI to question whether the user or users of the account are non-United States persons located outside the United States. . the ioi review team notesthat for those accounts not approved by only a smallportion were rejected on the basis that they were

TOP SECRETHSIHNOFORN

TOP SECRETIISI1INOFORN20

(g,i/~JF)Like FBI, CIA only identifies for NSD and ODNI disseminations of Section 702United States information.

(S#NF) III. Trends in CIA Minimization

(TSft5I/tNFr A totalo.reports that were based at least in part on Section 702-acquiredUnited States person information were disseminated during this reporting period. This representsan" increase from the previous reporting period. During this reporting period, the DepartmentofTu;tice Office of Inspector General issued a report inwhich it described certain disseminations ofmetadata made by the FBI. NSD and ODNI assess that some of these disseminations likelyincluded disseminations of United States person information which were not previously identifiedto NSD and ODNI, and thus are not included in the above Figure. An update regarding this issuewill be provided in the next Joint Assessment.

TOP SECR:£TlISI1INOFORN

TOP SECRSTf/SlhlNO¥ORIS21

(SIflW) During this reporting period, CIA identifiedll disseminations of Section 702-acquired data containing minimized United States person information. This is decreasefrom the such disseminations CIA made in the

TOP SECRETNSIHNOFOIl.'l22

(UI7FOU01-The joint oversight team finds that during the reporting period, the agencieshave continued to implement the procedures and follow the guidelines in a manner that reflects afocused and concerted effort by agency personnel to comply with the requirements of Section 702.The personnel involved in implementing the authorities are appropriately directing their efforts atnon-United States persons reasonably believed to be located outside the United States for thepurpose of acquiring foreign intelligence information. Processes have been put in place to

(U) SECTION 4: COMPLIANCE ASSESSMENT - FINDINGS

TOP SECRETJ/SIifNOFORN

TOP SECRETIISI/,lNOFORN23

14 (Sh'lqF) As is discussed in the Section 707 report and herein, some compliance incidents involve more than oneelement of the intelligence Community. Incidents have therefore been grouped not by the agency "at fault," but insteadby the set of procedures with which actions have been noncompliant.

Compliance incidents during reporting period (June I,2012 - November 30, 2012)

(TSh'SINNF) The following tables put these compliance incidents in the context of theaverage number of selectors subject to acquisition on any given day during the reporting period:

(SHNF) As noted in the Section 707 Report, there were a total o~ com=ce incidentsthat involved noncompliance with the NSA targeting or minimization pro~ures;_ involvingnoncompliance with the CIA minimization procedUffJes.and_ involving noncompliance with FBItargeting and minimization procedures; for a total 0 in~ts involving NSA, CIA or FBIprocedures." Additionally, there were" incidents o. noncompliance by electroniccommunication service providers issue~rective pursuant to Section 702(h) of FISA.

(U) A. ComplianceIncident Rate

(U) I. ComplianceIncidents - General

(g/ft~F) As noted in prior reports, in the cooperative environment the implementingagencies have established, an action by one agency can result in an incident of noncompliance withanother agency's procedures. It is also important to note that a single incident can have broaderimplications.

(U//~ The compliance incidents for the reporting period are described in detail in theSection 707 Report, and are analyzed here to determine whether there are patterns or trends thatmight indicate underlying causes that could be addressed through additional measures, and to assesswhether the agency involved has implemented appropriate procedures to prevent recurrences. Thejoint oversight team continues to assist in the development of such measures.

implement these authorities and to impose internal controls for compliance and verificationpurposes.

(U/~The compliance incidents during the reporting period represent a very smallpercentage of the overall collection activity. Based upon a review of the reported complianceincidents, the joint team does not believe that these incidents represent an intentional attempt tocircumvent or violate the procedures required by the Act.

TOP SECRETIISlliNOFORN

TOP SECRETh'SYtNOI'ORN24

NSA Targeting Procedures a.

1~ Specifically, NSA's targeting procedures require:

As Figure I I demonstrates, the adjusted compliance incident rate calculated without the notificationdelays is 0.20%, which is consistent with low compliance incident rates seen in prior reportingperiods.

Joint Assessment Period

9th8th7th6th5th4th3rd2nd

('f9HSb'~Jf)- In. ofth. incidents in this reporting period, however, the only incidentof noncompliance was theTailure to notify NSD and ODNI of certain facts within the timeframeprovided in the NSA targeting procedures. IS The median length of these reporting delays is onebusiness day. The oversight team will continue to work with NSA to ensure that notifications aremade to NSD and ODNI within the time frame specified in the relevant procedures. A bettermeasure of substantive compliance with the applicable targeting and minimization procedures,therefore, is to compare the compliance incident rate excluding these notification delays. Thefollowing Figure shows this adjusted rate:

Figure 11: (Ul/~) Compliance Incident Rate (as percentage of average selectorstasked), Not inclu-din?Notification Delays

(TSHSIHi'qF) The compliance incident rate continues to remain~ell below one percent.The compliance incident rate o~ represents an increase from the_ compliance incidentrate in the prior reporting perioer.-

TOP SECRETHSltfNOFORN

TOP 8ECRETlISlh'NOFORN25

I~/;~JE+-As described in the Section 707 Report, not all documentation errors have been separately enumerated ascompliance incidents.

('fS/SIlifNF) These categories are helpful for purposes of reporting and understanding thecompliance incidents. The following chart depicts the numbers of compliance incidents in eachcategory that occurred during this reporting period.

In some instances, an incident may involve more than one category of noncompliance.

• ~//l'if) Minimization Issues. The sixth category involves NSA's compliance withits minimization procedures.

• ~ Overcollection. This category involves incidents in which NSA's collectionsystems, in the process of attempting to acquire the communications of properlytasked selectors, also acquired data regarding untasked selectors, resulting in"overcollection."

• (8,'lNF) Documentation Issues. This category involves incidents where thedetermination to target a selector was not properly documented as required by thetargeting procedures.16

• (8/~~F) Notification Delays. The category involves incidents in which a selectorwas properly tasked in accordance with the targeting procedures, but a notificationrequirement contained in the targeting procedures was not satisfied.

• (Sh'tW) Detasking Issues. This category involves incidents in which the selectorwas properly tasked in accordance with the targeting procedures, but errors in thedetasking of the selector caused noncompliance with the targeting procedures.

• (8/~.w) Tasking Issues. This category involves incidents where noncompliancewith the targeting procedures resulted in an error in the initial tasking of the selector.

(Sff~~F)Most of the compliance incidents occurring during the reporting period involvednon-compliance with the NSA's targeting or minimization procedures. This largely reflects thecentrality of these sets of targeting and minimization procedures in the Government'simplementation of the Section 702 authority. The compliance incidents involving NSA's targetingor minimization procedures have generally fallen into the following categories:

(U) B. Categories of Compliance Incidents

TOP SECRET}lSllINOFORN

26TOP SECRETIfSYtNOEORN

\:8ffNf9- As Figure 12demonstrates, the vast majority of compliance incidents during thereporting period were notification delays. Tasking and detasking incidents often involve moresubstantive compliance incidents insofar as they can (but do not always) involve collectioninvolving a selector used by a United States person or an individual located in the United States.The following chart depicts the compliance incident rates, as compared to the average selectors ontask, for tasking and detasking incidents over the previous reporting periods.

DNotification Delays

DOther

DDocumentaton

DMinlmization

DOvercoliection

aDetasklng Incidents

DTasking Incidents

June 1, 2012 - November 30,2012

TOP SECR:STHSb'fNOFORN

TOP SEC~Tl/SI#NOFORN27

(S,L/NF)Over the time periods covered in the above chart, the tasking and detasking incidentcompliance rate has varied by onJy fractions of a percentage point as compared to the average sizeof the collection. While tasking errors cover a variety of incidents, ranging from the tasking of anaccount that the Government should have known was used by a United States person or anindividual located in the United States to typographical errors in the initial tasking of the account,detasking errors more often involve a selector used by a United States person or an individuallocated in the United States, who mayor may not have been the intended target.17 The percentageof compliance incidents involving such detasking incidents has remained consistently low.

(S/INF) With respect to the other targeting and minimization procedures,_incidents of noncompliance with the FBI's procedures involved noncompliance w~ngprocedures. As discussed bel0fl!!il!!iweach of these_. targeting errors resulted from unintentionalerrors in the targeting process; taroeting errors involved a facility used by anindividual located in the Unite tates. ese FBI targeting incidents occurred in the course

'fOP SECRETIISI/INOFOR."'I

TOP SIiCRETNSIIINOFOa'l28

~ _ of the tasking incidents described in the Section 707 report involved facilitieswhere at the ti~ tasking the Government knew or should have known that one of the users ofthe selector was a United States For in NSA Incidents and

(SfINF) Several incidents, however, did involve United States persons during the recentreporting period. United States persons were primarily impacted by (I) tasking errors that led to thetasking of facilities used by United States persons, (2) delays in detasking facilities after NSAdetermined that the user of the selector was a United States person, and (3) the unintentionalquerying of Section 702 repositories using a United States person identifier. Due to theirimportance, these incidents are highlighted in this subsection.

is/~W)- A primary concern of the joint assessment team is the impact of certain complianceincidents on United States persons. The Section 707 Report discusses every incident ofnoncompliance with the targeting and minimization procedures. Most of these incidents did notinvolve United States persons, and instead involved matters such as typographical errors in taskingthat resulted in no collection, detasking delays with respect to facilities used by non-United Statespersons who had entered the United States, or notification errors regarding similar detaskings thatwere not delayed.

(U) A. The Impact of Compliance Incidents on United States Persons

-(S!A'W)-The Section 707 Report previously provided to Congress and the Court discussed indetail every incident of non-compliance that occurred during the reporting period. This JointAssessment takes the broader approach and reports on the trends, patterns, and underlying causes ofthe compliance incidents reported in the Section 707 Report. The Assessment primarily focuses onincidents involving NSA's targeting and minimization procedures, the volume and nature of whichare better-suited to detecting such patterns and trends. The following subsections examine incidentsof non-compliance involving NSA's targeting and minimization procedures. The first subsectionexamines compliance incidents that have the greatest potential to impact United States persons'privacy interests, a particular focus of the joint oversight team. Subsequent subsections discussincidents caused by intra- and interagency communications (i.e., the ability of the agencies tocommunicate information between and among themselves in a timely manner to avoid complianceincidents), technical and incidents caused by human errors, and incidents involvingthe previously discussed

(SHNF) 11. Review of Compliance Incidents - NSA Targeting and MinimizationProcedures

of approvin~oximately_ facilities forrepresented_ of the tot~ber of facilitiesthis reporting penod. As there

TOP SE€RETNSl/fNOFORN

TOP S:ECRETHSl-lfNOFORN29

(TSh'SI//~W+Several other detasking incidents reported in the Section 707 Report may alsohave involved United States of but this has not been

(TS//£I/~W) The majority of detaskini.incidents involved non-United States persons whotraveled to the United States. one of the. detasking delays that occurred during thisreporting period, NSA . is confirmed to have involved a United States person.In this incident, NSA a targeted individual located outside the United States andpreviously assessed by NSA to be a non-United States person whomNSA had targeted pursuant toSection 702 and Executive Order 12333was in fact a United States person. Based upon the revisedassessment, NSA immediately detasked several selectors used by this individual, but due to amiscommunication within an NSA targeting office, did not detask one of this individual's telephonenumbers that was tasked to Section 702 collection. The error was discovered three weeks later andthe telephone number was detasked. No data was acquired as a result of this detasking delay. As isdiscussed in Subsection Il.C below, NSD and ODNI assess that better records and additionaldetasking procedures could help prevent detasking delays such as this one.

a separate momentwas omeland Security (DHS) that the target of a

mg 702 tasking request was an LPR, but due to a lack of internal communication, NSAdid not prevent the pending tasking request from being effectuated. In each of these incidents, allSection 702-acquired data was purged. Together, incidents represent isolated instancesof insufficient due diligence that do not reflect the of taskings that occurredduring the reporting period.

TOP SECR:ETl/SII~OFORN

TOP SECRE1WSIfINOFORN30

I:crSIl~1.f1A federated query is a query using the same term or terms in multiple NSA databases.

(S/~W) As noted in the prior report, communications between and among the agencies havecontinued to improve, which enhances compliance. While communications issues continue to arisein the context of compliance incidents, the joint team assesses that these issues accounted for only ahandful of compliance incidents during this reporting period.

~~tR'H7For example, as previously discussed, NSA Incident_ involved internalcommunications issues at NSA, which contributed to the erroneous ~ selector used by anLPR. Similarly, NSA involved internal miscommunicationswithin NSA that resulted in lectors

~ B. Intra- and Interagency Communications

onsapproved modifications to NSA's minimization to query telephonyand non-upstream acquired electronic communications Section 702 data using United States personidentifiers. Such queries must be designed to yield foreign intelligence information and the queryterms themselves are required to be approved pursuant to NSA internal procedures. In each of the• incidents, an NSA analyst either conducted a query without realizing that NSA had previouslydetermined that the query term was an identifier of a United States person, or the NSA analystconducted a federated query using a known United States person identifier, but ~ot to filter outSection 702-acquired data while conducting the federated query.19None of the. incidentsinvolved an intentional use of an unapproved United States person query term, nor did any of theincidents involve analysts being unaware that only approved United States person identifiers may beused to query Section 702-acquired data. As required by NSA's amended minimization procedures,the joint oversight team continues to conduct oversight ofNSA's use of United States personidentifiers in queries.

TOP S£€RETHStlINOFORN

TOP S~CRETHSI;'/NOFOItN31

e con ng areview 0 co of overseas communications acq pursuant to Executive Order

12333 and qUiCk_realized that the same collection had been utilized in its Section 702collection since .

(TSHSIl~~F) Nonetheless, changes in the global electronic communications environment,unforeseen consequences of software modifications, and system deisi issues resulted in incidentsthat affected acquisition during the reporting period. For example, of the compliance incidentsduring this reporting period resulted in NSA's overcollecti data what wasauthorized under the Section 702 certifications.

~ There were few compliance incidents resulting from technical issues during thisreporting period, but technical issues can have larger implications than other incidents because theyoften involve more than one selector. As such, all agencies involved in the Section 702 programdevote substantial resources towards the prevention, identification, and remedy of technical issues.Collection equipment and other related systems undergo substantial testing prior to deployment.The agencies also employ a variety of monitoring programs to detect anomalies in order prevent orlimit the effect of technical issues on acquisition. Members of the joint oversight team participate intechnical briefings at the various agencies to better understand how technical system developmentand modifications affect the collection and processing of information. As a result of these briefings,potential issues have been identified, the resolution of which prevented compliance incidents fromhappening and ensured the continued flow of foreign intelligence information to the agencies.

(SHNF) C. Effect of Technical Issues on Conduct of Acquisition

.-tSffNFjThe joint oversight team has found that the agencies have established internal andexternal procedures to communicate information concerning a Section 702 user's travel to theUnited States or a change in the assessment of their citizenship status. The joint oversight teambelieves that agencies should continue their training efforts to ensure that these establishedprotocols continue to be utilized. The joint oversight team will continue to work with NSA, ClAand FBI to ensure that the agencies develop and improve efficient and effective channels ofcommunication.

TOP SECRETtISIA4\IO¥ORN

TOP SECRETHSth'NOFOltN32

(SIfNF) All of the technical issues discussed in this subsection were discovered by agencypersonnel and each demonstrates the importance of agencies continually monitoring their collectionfor abnormalities, particularly following configuration and other software changes made tocollection and other related systems. The compliance incidents discussed in this subsection alsohighlight the complexity of the technical systems used to conduct Section 702 acquisition, as wellas the rapid pace of change in communications architecture, that can result in technical and system­related incidents. The joint oversight team assesses that agencies' regular monitoring of relevantsystems processing Section 702-acquired information has led to fewer technical tasking anddetasking errors and the quicker identification and resolution of system errors that do occur.

(SlfNF) Two system errors during this reporting period resulted in delays in detaskingfacilities. In NSA Incident_, an adjustment made in NSA's system during the transitionbetween certifications resul~king delays toll facilities! of which resulted in thecontinued . of users located in the United States for to ee

TOP 8ECRETHSIHNOFORN

'f'OP SECRETIISIflNOFORN33

21 (T~II~I/~lf) For example, NSA lncidents are examples of typographical errors or similarerrors that were committed when NSA was e~into the collection system or at some earlier timein the targeting process. The joint oversight team assesses that the overall rate of these types of errors is extremely lowreflecting the great care analysts use to enter information and the effectiveness of the NSA pre-tasking review process incatching potential errors.

(SHNF) There were other incidents .NSA Incidents

target,The joint team assesses

to to prevent situations where some of a target's selectors are notpromptly detasked, as required by the NSA targeting procedures. This is also one of the manyinstances in which good compliance practice is also good intelligence practice - ensuring that NSAhas up-to-date, accessible, and accurate corporate records of all of the known communicationfacilities used by the targets of its acquisitions will also facilitate the analysis and production offoreign intelligence information. NSA has reported that it is examining how NSA targetingdatabases can be better used to centralize knowledge regarding all of a target's known facilities,which could have prevented some of the detasking delays. The joint oversight team assesses thatimproved linkage among the various NSA databases should be given high priority.

iS/~TI9-Ensuring that selectors are detasked when a target enters the United States requiresnot on that be . but also that have access to accurate and to-date .

(SffNf) As reported in previous Joint Assessments, human errors often cause many of thecompliance incidents. Some of these errors are isolated events that do not lend themselves tocategorization or development of standard processes." Other errors, however, do present patternsthat could be addressed with new training or procedures. As was in the case in the last severalreporting periods, one of the most common errors in this reporting period involved situations wherea target who used multiple selectors tasked to Section 702 or Executive Order 12333 collection wasdiscovered to be in, or known to be traveling to, the United States and some of the Section 702selectors were missed in the detasking process. - detasking delays thatoccurred during this reporting period were the r=.22 Most of these detaskingdelays were quickly identified and remedied, but in NSA Incident_, an e-mail accountremained on collection for approximately five weeks after its user~ered to have traveledto the United States because the analyst had inadvertently detasked only some of the facilitiesknown by NSA to be used by this individual.

(SHNF) C. Effect of Human Errors on the Conduct of Acquisition

Tor SECltEl'ffSI/INOfr'ORN

TOP ~ECRETHSIHNOFORN34

(8f,q..F) Both the joint oversight team and the internal oversight programs have continuedtheir attention on human errors that are susceptible to retraining. Though still few innumber there was an increase of such incidents . this . .

'fOP SECM'f'IISti/NOFORN

TOP SECR:ETHSllfNOFORN35

.(S/~JFJ During this reporting nPT,nn

with the CIA minimization nrocecui

(SHNF) III. Review of Compliance Incidents - CIA Minimization Procedures

TOP SECRETHSI/fNOFOR.~

TOP SECRETIISIIINOFORN

"(S/~IF) During this reporting period, there wer~ incidents of noncompliance by anelectronic communication service provider with a Sectio~(h) directive. Each incident involved

36

(8) V. Review of Compliance Incidents Provider Errors

~S~(F) The other period concerned errors in theprocessing of one of which involved an individuallocated in the United _es ect to - an individual located in theUnited States Incident , FBI accidentally approved the_

for an indivi ua w 0 had recently been found to be in~BIto reject that acquisition request, but the supervisory agent inadvertently selected the

wrong option in FBI's' and instead the request. FBI systems have a fail-safe to prevent the acquisition under this scenario but due to a systemerror, this fail-safe did not in tills case. Thecoding error in the fail-safe has since been an acq communications were purged.In a second incident of note FBI Incident_, FBI personnel processing an FBInominatio- reque~n an FBI agent's assessment that certain non­targeted in~e been located in the United States did not have access to an e­mail account nominated for Section 702 collection. After the acquisition was approved, it wasdetermined that the FBI agent did not have a substantial basis for his assessment; queries run afterthe acquisition was approved, however, revealed no indication that these other non-targetedindividuals were in fact located in the United States at the time of acquisition.

\:S/fl"f1 There were_ incidents involvingminimization procedures in ~reporting period. Indetermined that FBI had not been providing quarterly r..n,r.rtc

~d United States person information to NSD,_ FBI is now providing these reports.

(SHNF) IV. Review of Compliance Incidents - FBI Targeting and MinimizationProcedures

TOP SECRETIISI//NOFOR,.'\J

TOP SECRETJ/SlHNOFOR.~37

(U/~During the reporting period, the joint team found that the agencies havecontinued to implement the procedures and to follow the guidelines in a manner that reflects afocused and concerted effort by agency personnel to comply with the requirements of Section 702.As in previous reporting periods, the joint oversight team has identified no indications of anyintentional or willful attempts to violate or circumvent the requirements of the Act in thecompliance incidents assessed herein. Although the number of compliance incidents continued toremain small, particularly when compared with the total amount of collection activity, a continuedfocus is needed to address underlying causes of the incidents which did occur, includingmaintaining close monitoring of collection activities and finishing the implementation of personneltraining enhancements. The joint oversight team will continue to monitor the efficacy of measuresto address the causes of compliance incidents during the next reporting period.

(U) SECTION 5: CONCLUSION

(8IfNF) Although the causes were different, in all_ of these incidents,overproductions were identified by agency personnel, eith~gh automated systems or byagents and analysts properly reporting within their agencies that the acquired data did notcorrespond with the authorized scope of collection. The joint oversight team believes that thisdemonstrates a success in training and collection monitoring programs, and encourages agencies tomaintain their vigilance in identifying possible overproductions. The joint oversight team alsoassesses that the overall number of overproductions during this reporting period, and over thecourse of the entire Section 702 has been . small. NSD and ODNI assess that thisis due to

parties to ensunngprov are authorized data. NSD and ODNI will continue to assist the

agencies in these efforts as collection activities expand and evolve.

TOP 8ECRETlISIJ/NOFORN

TOP SECRETIISIflNOFORN

APPENDIX A

TOP ~ECRET!/SI/~OFORN

TOP SECRETIISIIINOFOR.~A-I

The term 'electronic communication service provider' means - (A) a telecommunications carrier, as that termis defined in section 3 of the Communications Act of) 934 (47 U.S.c. 153); (B) a provider of electroniccommunication service, as that term is defined in section 2510 of title 18, United States Code; (C) a provider ofa remote computing service, as that term is defined in section 2711 of title 18, United States Code; (D) anyother communication service provider who has access to wire or electronic communications either as suchcommunications are transmitted or as such communications are stored; or (E) an officer, employee, or agent ofan entity described in subparagraph (A), (B), (C), or (D).

2 (U) Section 101(i) ofFISA defines "United States person" as follows:

a citizen of the United States, an alien lawfully admitted for permanent residence (as defined insectionlOl(a)(20) of the lmmigration and Nationality Act [8 U.S.C. § 1101(a)(20)]), an unincorporatedassociation a substantial number of members of which are citizens of the United States or aliens lawfullyadmitted for permanent residence, or a corporation which is incorporated in the United States, but does notinclude a corporation or an association which is a foreign power, as defined in subsection (a)(l), (2), or (3).

I (U) Specifically, Section 70 I(b)(4) provides:

(SflNF) As affirmed in affidavits filed with the Foreign Intelligence Surveillance Court(FISC), NSA believes that the non-United States persons reasonably believed to be outside the

(TS//Sl/~rF) The National Security Agency (NSA) seeks to acquire foreign intelligenceinformation concerning specific targets under each Section 702 certification from or with theassistance of electronic communication service providers, as defined in Section 70 I(b)(4) of theForeign Intelligence Surveillance Act of 1978, as amended (FISA).I As required by Section 702,those targets must be non-United States persons' reasonably believed to be located outside theUnited States. During this reporting period, NSA conducted foreign intelligence analysis to identifytl:lrcrpt" of . intel!" interest that fell within one of the . certifications:

(U) IMPLEMENTATION OF SECTION 702 AUTHORITIES - OVERVIEW

APPENDIX A

I UP SECItE'fIlSIJ!fNOFOR..~

TOP SECRETJlSIIINOFOR."iA-2

with respect to and ongoing acquisitions from certain electronictechnical in acquiring and transmitting raw,

~NSA's targeting procedures address, among other subjects, the manner in whichNSA will determine that a person targeted under Section 702 is a non-United States personreasonably believed to be located outside the United States, the post-targeting analysis conducted onthe selectors, and the documentation required.

(gIlSI/;~Jf)- Once information is collected from these tasked selectors, it is subject to FISC­approved minimization procedures. NSA's minimization procedures set forth specific measuresNSA must take when it acquires, retains, and/or disseminates non-publicly available informationabout United States All collection of Section 702 information is i . routed to NSA.

on or assistance an ic communication serviceprovider, NSA uses as a starting point a selector to acquire the relevant communications, and, afterapplying the targeting procedures (further discussed below) and other internal reviews andapprovals, "tasks" that selector in the relevant tasking system. The selectors are in turn provided toelectronic communication service providers who have been served with the required directivesunder the certifications.

"'"ffSHSIt~F)... Under the Section 702 targeting process, NSA targets persons by taskingselectors used by those persons to communicate foreign intelligence information. A selector is aspecific communications identifier or facility tasked to acquire information that is to, from, or abouta target. A "selector" could be a telephone number or an identifier related to a form of electronic

an e-mail address.

United States who are targeted under these certifications will either possess foreign intelligenceinformation about the persons, groups, or entities covered by the certifications or are likely tocommunicate foreign intelligence information concerning these persons, groups, or entities. Thisrequirement is reinforced by the Attorney General's Acquisition Guidelines, which provide that anindividual may not be targeted unless a significant purpose of the targeting is to acquire foreignintelligence information that the person possesses, is reasonably expected to receive, and/or is likelyto communicate.

TOP SECRETIIStHNOFOltN

TOP 8ECRI5TII8IHNOFOR'lA-3

H (~ Analysts also check this system as part of the "post-targeting" analysis described below.I

(8//NF) 2. Electronic Communications Identifiers

(S/7'NF) 1. Telephone Numbers

(U) A. Pre-Tasking Location

TOP SECIttT1iSIItNOFOItN

TOP SECRETIISI/INOFOR.'1

1~Prior Joint Assessments have stated that the automated notification and review process described in thisparagraph applied to all Section 702 acquisition. The past Joint Assessment stated that NSA and OONI were lookinginto this issue, and in June 2013 NSA reported that its automated notification system to ensure targeters have reviewed

A-4

-(S/INFr c. Post-Tasking Checks

(U) B. Pre-Tasking Determination of United States Person Status

TOP SECRETIISIJINOFORN

TOP S~CIlJ;Th'SI/~OFOR~A-5

collection is currently implemented onlyattempting to develop a similar system

NSA is currently

(SNNF) The procedures provide that analysts will document in the tasking database acitation to the information that led them to reasonably believe that a targeted person is locatedoutside the United The . . . a reference that includes the source of the information,

enablingto review to reasonable

belief. Analysts must also identify the foreign power or foreign territory about which they expectthe proposed targeting will obtain foreign intelligence information.

(U) D. Documentation

TOP SJ;CRETIIStlINOFOItN

TOP SECRETHSINNOFORNA-6

(S/J:P'JF)-NSA'stargeting and minimization procedures require NSA to report to NSD andOONI any incidents of non-compliance with the procedures by NSA personnel that result in theintentional targeting of a person reasonably believed to be located in the United States, the

f8f/~qfjNSA has instituted internal training programs, access control procedures, standardoperating procedures, compliance incident reporting measures, and similar processes to implementthe requirements of the targeting procedures. Only analysts who have received certain types oftraining and authorizations are provided access to the Section 702 program data. These analystsmust complete an NSA Office of General Counsel (OGC) and Signals Intelligence Directorate(SID) Oversight and Compliance training program; review the targeting and minimizationprocedures as well as other documents filed with the certifications; and must pass a competencytest. The databases NSA analysts use are subject to audit and review by SID Oversight andCompliance. For guidance, analysts consult standard operating procedures, supervisors, SIDOversight and Compliance personnel, NSA OGC attorneys, and the NSA Office of the Director ofCompliance.

(U) F. Internal Procedures

are contained in a variety ofNSArequested by the joint team, areOther source records may consist

intelligence reports~

~8f,q.ff') The source records citeddata repositories. These records .produced to verify determinationsof "lead information" from other ..."'::;11'-••<:;,..

TOP SEC~T!lSlffNOFORN

TOP SE€RETI!SIHNOFOR..~A-7

(~/n.lf) A key component of the CMCP, is an effort to manage, organize, and maintain theauthorities, policies, and compliance requirements that govern NSA mission activities. This effort,known as "Rules Management," focuses on two key components: (l) the processes necessary tobetter govern, maintain, and understand the authorities granted to NSA and (2) technologicalsolutions to support (and simplify) Rules Management activities. OOOC also coordinated NSA'suse of the Verification of Accuracy (VoA) process originally developed for other FISA programs toprovide an increased level of confidence that factual representations to the FISC or other externaldecision makers are accurate and based on an ongoing, shared understanding among operational,technical, legal, policy and compliance officials within NSA. NSA has also developed aVerification of Interpretation (Vol) review to help ensure that NSA and its external overseers have ashared understanding of key terms in Court orders, minimization procedures, and other documentsthat govern NSA's FISA activities. OOOC has also developed a risk assessment process to assessthe potential risk of non-compliance with the rules designed to protect United States person

(U~ On a more programmatic level, under the guidance and direction of the Officeof the Director of Compliance (ODOC), NSA has implemented and maintains a ComprehensiveMission Compliance Program (CMCP) designed to effect verifiable conformance with the laws andpolicies that afford privacy protection to United States persons during NSA missions. OOOCcomplements and reinforces the intelligence oversight program ofNSA OIG and oversightresponsibilities ofNSA OGC.

1SlfNF, NSA has established standard operating procedures for incident tracking andreporting to NSO and OONI. The SID Oversight and Compliance office works with analysts atNSA, and with CIA and FBI points of contact as necessary, to compile incident reports which areforwarded to both the NSA OGC and NSA OIG. NSA OGe then forwards the incidents to NSOandOONl.

(~A~n') The NSA targeting and minimization procedures require NSA to conduct oversightactivities and make any necessary reports, including those relating to incidents of non-compliance,to the NSA Office of the Inspector General (NSA OIG) and NSA's OGC. SID Oversight andCompliance conducts spot checks of targeting decisions and disseminations to ensure compliancewith procedures. SID also maintains and updates an NSA internal website regarding theimplementation of, and compliance with, the Section 702 authorities.

intentional targeting of a United States person, or the intentional acquisition of any communicationin which the sender and all intended recipients are known at the time of acquisition to be locatedwithin the United States, with a requirement to purge from NSA's records any resulting collection.NSA must also report any incidents of non-compliance, including overcollection, by any electroniccommunication service provider issued a directive under Section 702. Additionally, ifNSA learns,after targeting a person reasonably believed to be outside the United States, that the person is insidethe United States, or ifNSA learns that a person who NSA reasonably believed was a non-UnitedStates person is in fact a United States person, NSA must terminate the acquisition, and treat anyacquired communications in accordance with its minimization procedures. In each of the abovesituations, NSA's Section 702 procedures during this reporting period required NSA to report theincident to NSO and OONI within the time specified in the applicable targeting procedures (fivebusiness days) of learning of the incident.

TOP 8:ECRETHSIffNOF'ORN

TOP S~CRETHSII/NOFORNA-8

privacy. The assessment is conducted and reported to the NSA Deputy Director and NSA SeniorLeadership Team bi-annually.

TOP SECRETIISItfNOFORN

TOP SI!;CR~TIIS~OFORNA-9

(S/fNFt ill. Overview - FBI

(S/~Jy) CIA's compliance program is coordinated by its FISA Program Office and CIA'sOffice of General Counsel (CIA OGC). CIA provides small group training to analysts whonominate accounts to NSA andlor minimize Section 702-acquired communications. Access tounrninirnized Section 702-acquired communications is limited to trained analysts. CIA attorneysembedded with operational elements that have access to unminimized Section 702-acquiredinformation also respond to inquiries regarding nomination and minimization questions. Identifiedincidents of noncompliance with the CIA minimization procedures are reported to NSD and ODNIby CIA OGC.

(U) B. Oversigbt and Compliance

The fISA Program Office was established in December 2010_and is charged with providing strategic direction f~

t 0 A collection programs, including tbe retention and dissemination offoreign intelligence information acquired pursuant to Section 702. This group is responsible foroverall strategic direction and policy, with program external focus and interaction with counterpartsof NSD ODNI NSA and fBI. In addition, the office leads the day-to-day FISA compliance effortsIIiiiIiiiIiIiii The primary responsibilities of the FISA Program Office are to provide strategic~a handling and management of FISN702 data, as well as to ensure that all Section702 collection is properly tasked and that CIA is complying with all compliance and purgerequirements.

TOP S~CItETJ/SIJ,£NOFO~

TOP SE€RETIISl/tNOFORNA-I0

Tor SE€R:ETHSJJ~OFORlS

TOP SEC~TII81/,£NOFORNA-I1

(s.t/WF) FBI's implementation and compliance activities are overseen by FBI's Office ofGeneral Counsel (FBI OGC), particularly the National Security Law Branch (NSLB), as well asFBI's Exploitation Threat Section (XTS), formerly the Communications Exploitation Section

(U) D. Implementation, Oversight and Compliance

oced es commencing with, and culminating ill

p ating procedures calldepending on the circumstances, arealso retains with each checklist any relevant communications_ regarding its review of the_ information. Additional checklists have been created to capture information on requests~awn_, or not approved by FBI.

(U) C. Documentation

TOP SECRETflSl/lNOFORN

TOp S£CRETl/SIJfNOFORNA-12

13 (U//~ The change of name was effective July 15,2012.

(~I7'NF) The minimization procedures do, however, impose additional obligations orrestrictions as compared to minimization procedures associated with authorities granted under TitlesI and III ofFISA. For example, the Section 702 minimization procedures require, with limitedexceptions, the purge of any communications acquired through the targeting of a person who at thetime of targeting was reasonably believed to be a non-United States person located outside theUnited States, but is in fact located inside the United States at the time the communication isacquired, or was in fact a United States person at the time of targeting.

(SltHF) Once a selector has been tasked for collection, non-publicly available informationcollected as a result of these taskings that concerns United States persons must be minimized. TheFISC-approved minimization procedures require such minimization in the acquisition, retention,and dissemination of foreign intelligence information. As a general matter, minimizationprocedures under Section 702 are similar in most respects to minimization under other FISA orders.For example, the Section 702 minimization procedures, like those under certain other FISA courtorders, allow for sharing of certain unminimized Section 702 information among NSA, FBI, andCIA. Similarly, the procedures for each agency require special handling of interceptedcommunications that are between attorneys and clients, as well as foreign intelligence informationconcerning United States persons that is disseminated to foreign governments.

(U) IV. Overview - Minimization

periodic reviews by NSD and ODNI, atleast once every must report of non-compliance with the FBI targetingprocedures to NSD and ODNI within five business days ofleaming of the incident. XTS andNSLB are the lead FBI elements in ensuring that NSD and ODNI received all appropriateinformation with regard to these two requirements.

(CXS),13 FBI's DataDITU personneltechnical assistancemust be conductedin FBI for bothon the FBI targetmg proceouresits processing of requests for the

TOP SECRE'f'IISlflNOFORN

TOP SECRETIfStllNOFORNA-13

(S/,lI>-IF) NSA, CIA, and FBI have created systems to track the purging of information fromtheir systems. CIA and FBI receive incident notifications fromNSA to document when NSA hasidentified Section 702 information that NSA is required to purge according to its procedures, so thatCIA and FBI can meet their respective obligations.

TOP SECRE'fIlSIflNOt'OItN