Main Topic Surveillance

NSA, FOIA, and a long-running quest for Telephony Metadata

Gathering information through FOIA or public records requests can be a long-term endeavor. I made a privacy act request to the NSA back in October 2013, shortly after the Guardian revealed that the NSA had been collecting telephony metadata from Verizon customers.

I happened to be a Verizon customer at the time, so I asked the NSA for a copy of my telephony metadata, via a Privacy Act Request.

The NSA responded as follows

FOIA Case: 75473

21 November 2013

Dear Mr. Revilak:

This responds to your Freedom of Information Act (FOIA) request of 23 October 2013, which was received by this office on 4 November 2013, for a list of phone calls made from your home phone number, 781-***-****. A copy of your request is enclosed. Your letter has been assigned Case Number 75473. Please refer to this case number when contacting u s about your request. For purposes of this request and based on the information you provided in your letter, you are considered an “all other” requester. There are no assessable fees for this request. Your request has been processed under the provisions of the FOIA.

You may be aware that one of the NSA/CSS missions is to collect, process, and disseminate communications or signals intelligence information for intelligence and counter intelligence purposes. NSA is authorized to engage in these activities in order to prevent and protect against terrorist attacks, the proliferation of weapons of mass destruction, intelligence activities directed against the United States, international criminal drug activities, and other hostile activities directed against the United States. The roles and responsibilities that NSA exercises are delineated in Executive Order 12333, as amended.

As you may also be aware, there has been considerable coverage of two NSA intelligence programs in the press/media. Under Sec. 215 of the USA PATRIOT Act, as authorized by the Foreign Intelligence Surveillance Court (“FISC”), NSA may acquire telephone metadata, such as the telephone numbers dialed and length of calls, but not the content of calls or the names of the communicants. Under Sec. 702 of the FISA, with appropriate authorization, NSA may target non-U.S. persons reasonably believed to be located outside the United States for foreign intelligence purposes. Under the FISC-authorized Sec. 215 authority, NSA cannot review any metadata unless strict requirements are met, i.e., the data may be queried only when there is a reasonable suspicion, based on specific facts, that a phone number is associated with a foreign terrorist organization. Likewise, under Sec. 702, there are strict controls approved by the FISC to help ensure that no U.S. person is targeted and FISC-approved minimizations procedures to ensure the protection of any information concerning U.S. persons that may be incidentally acquired.

Although these two programs have been publicly acknowledged, details about them remain classified and/or protected from release by statutes to prevent harm to the national security of the United States. To the extent that your request seeks any information on your telephone activity in relation to NSA intelligence programs, or in relation to any specific methods or means for conducting the programs, we cannot acknowledge the existence or non- existence of such information. Any positive or negative response on a request- by-request basis would allow our adversaries to accumulate information and draw conclusions about NSA’s technical capabilities, sources, and methods. Our adversaries are likely to evaluate all public responses related to these programs. Were we to provide positive or negative responses to requests such as yours, our adversaries’ compilation of the information provided would reasonably be expected to cause exceptionally grave damage to the national security.

Therefore, your request is denied because the fact of the existence or non-existence of responsive records is a currently and properly classified matter in accordance with Executive Order 13526, as set forth in Subparagraph (c) of Section 1.4. Thus, your request is denied pursuant to the first exemption of the FOIA, which provides that the FOIA does not apply to matters that are specifically authorized under criteria established by an Executive Order to be kept secret in the interest of national defense or foreign relations and are properly classified pursuant to such Executive Order.

Moreover, the third exemption of the FOIA provides for the withholding of information specifically protected from disclosure by statute. Thus, your request is also denied because the fact of the existence or non-existence of the information is exempted from disclosure pursuant to the third exemption. The specific statutes applicable in this case are: Title 18 U.S. Code 798; Title 50 U.S. Code 3024(i) (formerly Title 50 U.S. Code 403-l(i)); and Section 6, Public Law 86-36 (50 U.S. Code 3605, formerly 50 U.S. Code 402 note).

The Initial Denial Authority for NSA information is the Associate Director for Policy and Records, David J. Sherman. As your request is being denied, you are hereby advised of this Agency’s appeal procedures. Any person denied access to information may file an appeal to the NSA/CSS Freedom of Information Act Appeal Authority. The appeal must be postmarked no later than 60 calendar days of the date of the initial denial letter. The appeal shall be in writing addressed to the NSA/CSS FOIA Appeal Authority (DJ4), National Security Agency, 9800 Savage Road STE 6248, Fort George G. Meade, MD 20755-6248. The appeal shall reference the adverse determination and shall contain, in sufficient detail and particularity, the grounds upon which the requester believes that the determination is unwarranted. The NSA/CSS FOIA Appeal Authority will endeavor to respond to the appeal within 20 working days after receipt, absent any unusual circumstances.

I disagreed with the NSA’s denial, and filed an appeal. Basically, I went through each statute the NSA cited in their denial, and explained why I believed it did not apply.

January 5, 2014

Dear NSA/CSS FOIA Appeal Authority:

I am writing in regards to FOIA request case number 75473, in which I requested telephony metadata for calls originating from 781-***-****, my Verizon-provided home telephone number. The NSA responded on November 21, 2013, denying my request. I disagree with the reasons given for denial, and wish to file an appeal.

NSA’s letter cited three statutes as the basis for my denial: Title 18 U.S. Code 798, Title 50 U.S. Code 3024(i), 50 U.S. Code 3605. I am appealing the denial because I believe that none of the cited statues applies to my request.

50 U.S. Code 3605 deals with “disclosure of the organization or any function of the National Security Agency, or any information with respect to the activities thereof, or of the names, titles, salaries, or number of the persons employed by such agency.” My request involve my personal telephony metadata — it does not involve the organization of the National Security Agency; nor does it involve the names, titles, salaries, or number of persons employed by the agency. Furthermore, my request was strictly limited to data already collected — I have not requested details of the NSA’s functions or activities. As the original denial letter notes, the Agency’s functions and activities have been widely reported by the press and media; I will note that the press and media reporting has made extensive use of primary source documents.

Title 50 U.S. Code 3024(i) deals with the “Protection of intelligence sources and methods” … “from unauthorized disclosure”. I have requested a copy of telephony metadata collected from my home phone number; I have not requested any information regarding the source of that data, nor have I requested information about how the data was obtained.

Title 18 U.S. Code 798 deals with

classified information …

(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government; or

(2) concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or

(3) concerning the communication intelligence activities of the United States or any foreign government; or

(4) obtained by the processes of communication intelligence from the communications of any foreign government, knowing the same to have been obtained by such processes

I believe that (1) does not apply, since my personal telephony metadata is not a “code, cypher, or cryptographic system”. I believe that (2) does not apply because my personal telephony metadata is not a “device, apparatus, or appliance”. I believe that (3) does not apply because I have requested telephony metadata, and not information about the activities that led to its collection. (As before, said activities have been widely reported in the media, to the point where they could be considered common public knowledge.) I believe that (4) does not apply because my personal telephony metadata does not include “the communications of any foreign government”.

Furthermore, I believe that my FOIA request falls squarely in scope of the Privacy Act of 1974. See 5 USC Section 552a, Paragraph (d)

Each agency that maintains a system of records shall —

(1) upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him [$\ldots$]

I believe that the agency’s collection of telephony metadata constitutes a system of record, whereby I have the right to obtain and review records pertaining to me.

Thanks for your time and attention. I look forward to hearing your response.

In July 2014 the NSA denied my appeal:

Case No. 75457 / Appeal No. 3895

30 July 2014

Dear Mr. Revilak:

This replies to your letter, dated 5 January 2014, appealing the National Security Agency/Central Security Services (NSA7CSS’) denial of your request under the Freedom of Information Act (F01A) for a list of all phone calls from your cell phone number (781-648- 1083). I have reviewed your request, the Chief of the FOIA/Privacy Act (PA) Office’s response to you. and your letter of appeal.

As a result of my review, I have concluded that the appropriate response is to continue to neither confirm nor deny the existence or nonexistence of any records on you pertaining to any NSA intelligence programs or activities, to include programs authorized under Section 215 of the USA PATRIOT Act and Section 702 of the Foreign Intelligence Surveillance Act Amendments Act. To do otherwise when challenged under the FOIA would result in the exposure of intelligence information, sources, and methods, which could harm our national security and severely undermine NSA activities in general. For example, if NSA denied having information in cases where we had no such information, but remained silent in cases in which the information existed, it would tend to reveal in which activities NSA was engaged. Any further elaboration concerning these matters would reveal information that is currently and properly classified under Executive Order 13526.

Accordingly, the existence or nonexistence of any intelligence information you requested remains exempt from disclosure pursuant to 5 U.S.C. Sec. 552(b)(1), which protects properly classified information. I have determined that any substantive response to your request would tend to confirm or deny specific activities. The fact of the existence or nonexistence of such information is a properly classified matter under Executive Order 13526, since it meets the specific criteria for classification established in Section 1.4(c) of the Order. When such classification is warranted, Section 3.6(a) of the Order allows an agency to respond by declining to confirm or deny the existence of responsive records.

Further, the fact of the existence or nonexistence of any such records is also exempt pursuant to 5 U.S.C. Sec.552(b)(3), which permits withholding of matters specifically exempted from disclosure by statute. The applicable statutory provisions with regard to the existence or nonexistence of the records requested are: 18 U.S.C. Sec.798, which prohibits the release of information concerning classified communications intelligence activities except to those persons authorized to receive such information; 50 U.S.C. Sec.3024(i), which requires the protection of intelligence sources and methods from unauthorized disclosure; and Section 6 of the National Security Agency Act of 1959, Public Law 86-36 (codified at 50 U.S.C. Sec. 605), which provides that no law shall be construed to require the disclosure of the organization, personnel, functions, or activities of the National Security Agency.

Additionally, on appeal you assert that the records you have requested are the types of records that are subject to the provisions of the PA, 5 U.S.C. Sec.552a, because, as suggested in your appeal, they include the collection of personal information which is maintained in a PA system of records. To the extent that you are seeking a response under the PA, please be advised that the existence or nonexistence of any intelligence records that may fall within a PA system of records is also exempt from disclosure pursuant to the first exemption of the PA (5 U.S.C. Sec.552a(k)(l)), which allows for the withholding of classified information if that information is exempt from disclosure under the FOIA. The existence or nonexistence of the information you requested meets the criteria for classification under the FOIA (5 U.S.C. Sec. 552(b)(1)) as described above and thus is also exempt from disclosure under the PA (5 U.S.C. Sec.552a(k)(l)). See also Section 3.6(a) of Executive Order 13526.

Because this response is a denial of your appeal, you are hereby advised of your right pursuant to 5 U.S.C. Sec.552(a)(4)(B) to seek judicial review of my decision in the United States District Court in the district in which you reside, in which you have your principal place of business, in which the Agency records are situated (U.S. District Court of Maryland), or in the District of Columbia.

I declined the option of Judicial review, and placed a new FOIA
request for the administrative records pertaining to my case. I filed
this request on August 4th, 2014.

August 4, 2014

Dear NSA FOIA/PA Office:

This is a Freedom of Information Act Request, as described in http://www.nsa.gov/public_info/foia/submit_foia_request/index.shtml. I am seeking copies of the following records:

  • Administrative records generated in the processing of FOIA Case No. 75457.
  • Administrative records generated in the processing of FOIA Appeal No. 3895.

I would prefer to receive responsive documents as .pdf files, emailed to steve@…, but I am happy to accept paper copies mailed to the return address above — whatever is easier for you.

I am willing to pay up $25 for the processing of this request. Please inform me if the estimated fees will exceed this limit before processing my request.

I am seeking information for personal use and not for commercial use.

Thank you for your time and attention.

There’s actually a mistake in my Aug 4th request. I asked for administrative records pertaining to FOIA case 75457, which is the number referenced in the NSA’s 30 July 2014 denial. The correct case number is 75473.

Case 75457 happens to be a Muckrock request which essentially means I waited three years for the wrong set of documents 🙁 I’ve forwarded the administrative records for case 75457 to my colleagues at Muckrock.

But on the bright side, I did receive the administrative records for 3895, which turned out to be informative. Here’s the bulk of their response:

PURPOSE: (U) To inform a FOIA requester that NSA can neither confirm nor deny the existence or nonexistence of intelligence records on him pertaining to any NSA intelligence programs or activities, pursuant to the first and third exemptions of the FOIA. We also inform him of his right to seek judicial review.

BACKGROUND: (U) By letter dated 23 October 2013 (TAB A), Mr. Stephen Revilak requested a list of all phone calls from his cell phone number (781-***-****). The Chief, FOIA/Privacy Act (PA) Office responded to Mr. Revilak by letter dated 21 November 2013, informing him that NSA could neither confirm nor deny the existence or nonexistence of intelligence records pertaining to him, or metadata/call-detail records on him, and/or any telephone numbers provided in the request relative to the recent public acknowledgment of NSA programs authorized under Section 215 of the USA PATRIOT Act and Section 702 of the Foreign Intelligence Surveillance Act Amendments Act. and/or any other intelligence activity. The basis for neither confirming nor denying the existence or nonexistence of such material is the first and third exemptions of the FOIA. The first exemption under the FOIA allows currently and properly classified information to be exempt from disclosure because its exposure could reasonably be expected to cause damage to national security. The third exemption under the FOIA allows the withholding of information specifically protected from disclosure by statute. The applicable statutory provisions with regard to the information at issue are: 18 U.S.C. Sec.798, which prohibits the release of information concerning classified communications intelligence activities except to those persons authorized to receive such information; 50 U.S.C. Sec.3024(i), which requires the protection of intelligence sources and methods from unauthorized disclosure, and Section 6 of the National Security Agency Act of 1959, Public Law 86-36 (codified at 50 U.S.C. Sec.3605), which provides that no law shall be construed to require the disclosure of the organization, personnel, functions, or activities of the NSA. That letter also provided Mr. Revilak with appeal rights (TAB B). Mr. Revilak appealed NSA’s denial of records by letter, dated 5 January 2014 (TAB C).

(U) On appeal, we reviewed the initial request, the Chief of the FOIA/PA Office’s response, and the appeal. We have determined that we must uphold the FOIA/PA Office Chiefs decision, as outlined above, by continuing to neither confirm nor deny the existence or nonexistence of intelligence records on Mr. Revilak.

(U) Additionally, Mr. Revilak believes that his request, specifically for the “telephony metadata” from his cell phone calls, falls within the scope of the PA and should have been processed in accordance with the PA. Indeed, his initial request was submitted as a PA request. However, the request was processed under the FOIA because intelligence records are not records that are maintained in a PA system of records. Nevertheless, to the extent Mr. Revilak is seeking a response under the PA, we inform him that the existence or nonexistence of any intelligence records that may fall within a PA system of records is also exempt from disclosure pursuant to the first exemption of the PA (5 U.S.C. Sec 552a(k)(l)), which allows for the withholding of classified information if that information is exempt from disclosure under the FOIA. The existence or nonexistence of the information he requests meets the criteria for classification under the FOIA (5 U.S.C. Sec 552(b)(1)) pursuant to the statutes cited above and is therefore exempt from disclosure under the PA. Additionally, in response to a request for information under the FOIA and PA, agencies may refuse to confirm or deny the existence or nonexistence of requested records whenever the fact of their existence or nonexistence is itself classified under Executive Order 13526. (See Section 3.6(a) of Executive Order 13526).

FORESEEABLE HARM: (U) We can admit that NSA collects communications or signals intelligence information of unspecified persons or entities involved in terrorism as part of the nation’s efforts to prevent and protect against terrorist attacks. We can also admit that under Section 215 of the USA PATRIOT Act, as authorized by the Foreign Intelligence Surveillance Court (“FISC”), NSA may acquire telephone metadata, such as the telephone numbers dialed and length of calls, but not the content of call or the names of the communicants. Under Section 702 of the FISA Amendments Act, NSA may acquire the communication of non-U.S. persons located abroad for foreign intelligence purposes such as counterterrorism and counter proliferation. This program is also authorized by the FISC. Under the FISC-authorizcd Section 215 authority, NSA cannot review any metadata unless strict requirements are met, i.e., the data may be queried only when there is a reasonable suspicion, based on specific facts, that a phone number is associated with a foreign terrorist organization. Likewise, under Section 702, there are strict controls established by the FISC to ensure that there is no targeting of any U.S. person’s communications and FISC-approved minimizations procedures ensure the protection of any information concerning U.S. persons that may have been incidentally acquired. Although these two programs have been publicly acknowledged, details about them remain classified and/or protected from release by statutes to prevent harm to the national security of the U.S. To the extent that the request seeks any metadata/call detail records on the requester and/or any telephone numbers provided in the request, or seeks intelligence information on the requester, we cannot acknowledge the existence or non-existence of such metadata or call detail records pertaining to the telephone numbers provided or based on the requester’s name. Any positive or negative response on a request-by-request basis would allow our adversaries to accumulate information and draw conclusions about NSA’s technical capabilities, sources, and methods. Our adversaries are likely to evaluate all public responses related to these programs. Were we to provide positive or negative responses to requests such as this one, our adversaries’ compilation of the information provided would reasonably be expected to cause exceptionally grave damage to the national security. We cannot however release any details of our intelligence operations. In addition, we cannot conduct searches to determine whether any particular U.S. citizen may be an intelligence “target.” A “Glomar” response (i.e., to neither confirm nor deny) is necessary because assuming that NSA had no responsive records for this FOIA request, a negative response itself would reveal classified information about NSA’s collection practices or capabilities. Acknowledging the fact that NSA did not acquire telephone metadata or call-detail records from a specific service provider, or collect intelligence on this individual would allow our adversaries to accumulate information and draw conclusions about NSA’s technical capabilities, sources, and methods. Likewise, acknowledging the existence of responsive records would inform this individual that NSA has the ability to exploit a particular type of communication, possibly from a specific service provider. So informed, this individual and/or our adversaries may conclude that their modes of communication are vulnerable to exploitation by the U.S. If this were to occur, it is logical to assume that they would take counter-measures to deny further exploitation. We must be consistent in neither confirming nor denying whether we hold metadata, call-detail records, or intelligence information on a specific U.S. person and/or any specific entities. Although in the vast majority of cases we would have no records if a search on intelligence targets were done, to respond with a “no records” response in those cases and then neither confirm nor deny in the few cases where we did hold records would by process of elimination make it clear to an adversary who our targets were or what our capabilities are and would reveal classified information. Any further elaboration concerning these matters would reveal information that is currently and properly classified under the Executive Order 13526.

The NSA’s response is interesting on a couple of levels. First, we learn that the NSA does not consider their databases to be privacy act systems of record.

Second, we see that the NSA places a good deal of faith in the Foreign intelligence surveillance court. This is despite the fact that FISC hearings and opinions are not available to the public, and FISA (foreign intelligence surveillance ACT) warrants are rarely denied. According to https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court there are been 12 denials and 533 modifications between 1979 and 2013, out of a total of 35,529 cases.

Finally, we see that the NSA emphasizes the importance of neither confirming nor denying that it does what it does, despite any evidence to the contrary.

Here’s a link to the primary source documents.
nsa-20170905-foia-response-78851B-R.pdf

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.