Article Lead Image

NSA metadata collection program swept up Americans’ credit card numbers

Here's a breakdown of the declassified documents that reveal how it happened. 

 

Joe Kloc

Tech

Posted on Nov 19, 2013   Updated on Jun 1, 2021, 1:35 am CDT

The Office National Intelligence released a trove of newly declassified documents Tuesday, detailing the National Security Agency’s controversial surveillance operations. As Matthew Keys reported on The Desk, one of the documents, from 2006, reveals how the agency inadvertently scooped up some citizens’ names and credit card numbers while collecting telephone metadata.

The report provides key insights into how the agency collects and processes telephone data. Here’s a breakdown:

First off, much of the document is heavily redacted, and thus difficult to decipher with certainly:

That said, certain portions are left relatively untouched. A section titled “Reportable Issues” details instances in which the agency inadvertently obtained more customer information than it was legally permitted to by the Foreign Intelligence Surveillance Court.

Notably, a “very small percentage” of call records contained customers credit card numbers. It appears that in a two-month period during the summer of 2006, .001 percent of call records contained card numbers.

How many records that is, exactly, it is difficult to say. As leaks from former intelligence contractor Edward Snowden have revealed, the NSA appears to collect records on every U.S. citizen. However, it is unclear whether .001 percent is a reference to the number of calls that were listed with credit card numbers or the number of citizens whose numbers were turned over.

Apparently, the agency responded to the error by developing software to “mask” the information before it was archived. “NSA did not use this information in any way,” the report stated.

The document gives insight into how this pre-archive review of data works. At the time this report was drafted, the agency employed a four-person team to review all data before it was handed over to analysts for intelligence collection. Presumably the credit card numbers are purged during this review.

The document also mentions that “even less frequently” than in the case of credit card numbers, a small percentage of names were given over to the agency. In these instances the information was purged in the same way as with credit card numbers.

A few further insights can be gleaned about the nature of metadata and the process of its collection and review.

The document provides several insights into what metadata is specifically defined to mean by the NSA: the agency collects the telephone number making the call, the number called, the date and length of the call, the infrastructure that carried the call, and whether or not the call was made overseas.

There appear to be further dimensions gathered by the program, but they are redacted in the publicly released report:

At least during the time period listed in the report, the information gathered on each phone call varied by telecom company, presumably with respect to each company’s own data retention capabilities and policies.

Finally, the report also details the standards that must be adhered to in order for an agent to search the metadata archive: As has been previously reported, the NSA can only query metadata once it has a specific telephone number in mind. A curious redaction leaves it unclear what exactly makes a particular phone number permissible to investigate:

Another section of the report details further restrictions, with similar redactions:

Ultimatley, while the report does reveal that errors occur in the metadata program, it also details what appears to be a responsible system for addressing them. However, it should be noted that the aforementioned report was compiled in 2006. It is unclear whether the metadata collection program has expanded or evolved since that time.

Photo via 401(K) 2012/Flickr

Share this article
*First Published: Nov 19, 2013, 3:48 pm CST