February 12, 2015
In August of 2013, the Department of Defense ("DoD") released a notice of proposed rulemaking ("NPRM"). The proposed rule "update[d] the established policies, guidance, and assigned responsibilities of the DoD Privacy Program pursuant to The Privacy Act . . . ." When an agency publishes a proposed rule, it has to take public comments on the rule and then consider those comments prior to releasing the final rule. EPIC, joined by a coalition of public interest organizations, filed comments for DoD's consideration.
At the time that the DoD's proposed rule was released, the Snowden revelations were just a few months old. Those revelations provided unparalleled insight into NSA's mass surveillance activity. The NSA is a DoD component subject to the proposed rule and, of course, to the Privacy Act of 1974. Through the review of the documents and news stories associated with the revelations, EPIC's coalition comments identified three NSA databases subject to the Privacy Act. And per the Privacy Act, these databases (known as "systems of records" in the Privacy Act) require a Systems of Record Notice (SORN) to the public. EPIC's coalition comments argued that there was no SORN for, at minimal, the following three databases:
- The US identifier database (see bottom of page 3) of "telephone numbers and electronic communications accounts/addresses/identifiers that NSA has reason to believe are being used by United States persons;"
- The database of contact lists the NSA retrieves from email address books and instant message "buddy lists;" and
- The NSA database containing information relating to social networks.
SORNs require an agency to publish a number of pieces of information related to the databases it maintains. This includes individuals covered by the database, the categories of records in the database, and the purpose of the database. Unfortunately, government agencies tend to use very broad language to describe these aspects of a database.
Just last month, the DoD published its final rule. The DoD's final rule responded to EPIC's coalition comments by claiming that the three databases described in our comments were already covered by an existing SORN, GNSA 18. Importantly, the DoD did not challenge the assertion that these NSA databases were systems of records subject to the Privacy Act.
As mentioned above, many parts of SORNs are often described in very broad terms thus allowing the DoD to claim everything under the sun is covered. There is one section though that requires a more specific description--the section on retrievability. Under this section, the agency must describe how information is retrieved from the database. GNSA 18 states, "Information is retrieved by individual's name, Social Security Number (SSN), and/or employee identification number." At minimal, this description fails to describe how information is retrieved from NSA's US identifier database.
Per a document signed off on by Attorney General Holder, titled, Procedures Used by NSA for Targeting Non-US Persons Reasonably Believed to Be Outside the US to Acquire Foreign Intelligence Pursuant to 702 FISC July 29, 2009, the "NSA maintains records of telephone numbers and electronic communications accounts/addresses/identifiers that NSA has reason to believe are being used by United States persons." Furthermore, "Prior to targeting, a particular telephone number or electronic communications account/address/identifier will be compared against those records in order to ascertain whether NSA has reason to believe that the telephone number or electronic communications account/address/identifier is being used by a United States person."
In contrast to what is stated in GNSA 18, the NSA compares telephone numbers and other identifiers (e.g. email) against the agency's database of U.S. person identifiers. This retrieval of information from the database via various identifiers is not covered by GNSA 18. Additionally, it is not covered by any other NSA SORN. This is a violation of the Privacy Act and DoD's privacy rules.