September 11, 2013, 10:23 PM — When NSA chief Gen. Keith Alexander addressed Black Hat earlier this year, he painted a rosy picture of how well the agency controls access to its phone record database, but he never brought up cases when those controls broke down, unauthorized access was made and data was shared among analysts who shouldn't have seen it.
Documents just released by the government say that far from being a well-oiled machine Alexander described to the security conference last month, the so called business-record metadata gathering program was repeatedly misused, data about activity on certain phone lines was accessed without appropriate authorization and that no single person at the NSA understood the technicalities of the system architecture.
Not only that, the NSA misled the Foreign Intelligence Surveillance Court about its misuse of the data, according to FISC documents from 2009.
At Black Hat, Alexander described the measures taken to ensure that call-detail records gathered by the NSA and stockpiled in a database for five years at a time as well guarded and queried only if there is "reasonable actionable suspicion" that a specific phone number was linked to foreign terrorists.
"The database is like a lockbox," Alexander said at the time. "The controls that go on this database are greater than any data repository in government, and the oversight is the same."
The database consists of date and time of calls, calling number or IP address, called number or IP address, duration of calls or length of emails and the origin of the metadata information. The NSA vacuums up this data from service providers on all calls and taps into it only under controlled circumstances or at least that's how it is supposed to work.
But in 2009 the NSA list of phone numbers being checked consisted mostly of numbers that had not met the reasonable actionable suspicion standard, according to a March 2, 2009 order by FISC Judge Reggie B. Walton.
One problem was that for years, nobody at the NSA understood the system in its entirety. "In fact," Walton wrote, "the government acknowledges that, as of August 2006, "there was no single person who had a complete understanding of the BR FISA system architecture.""