FAQ: What You Need to Know About the NSA s Surveillance Programs A detailed snapshot of what s known about

the NSA surveillance programs. Construction trailers sit in front of the new National Security Agency (NSA) dat a center June 10, 2013 in Bluffdale, Utah. The center, a large data farm that is set to open in the fall of 2013, will be the largest of several interconnected NSA data centers spread throughout the country. (George Frey/Getty Images) by Jonathan Stray, Special to ProPublica, July 5, 2013, 11:37 a.m. 55 Comments Republish Email Your email Your name Friends ssage Print

email(s) max 10, separated by commas Personal me

Connect with Facebook to share articles you read on ProPublica. Learn more Enable Social Reading Email This story was originally published on June 27, 2013. There have been a lot of news stories about NSA surveillance programs following the leaks of secret documents by Edward Snowden. But it seems the more we read, the less clear things are. We've put together a detailed snapshot of what's know n and what's been reported where. What information does the NSA collect and how? We don t know all of the different types of information the NSA collects, but seve ral secret collection programs have been revealed: A record of most calls made in the U.S., including the telephone number of the p hones making and receiving the call, and how long the call lasted. This informat ion is known as metadata and doesn t include a recording of the actual call (but see below). This program was revealed through a leaked secret court order instructi ng Verizon to turn over all such information on a daily basis. Other phone compa nies, including AT&T and Sprint, also reportedly give their records to the NSA o n a continual basis. All together, this is several billion calls per day. Email, Facebook posts and instant messages for an unknown number of people, via PRISM, which involves the cooperation of at least nine different technology comp anies. Google, Facebook, Yahoo and others have denied that the NSA has direct acc ess to their servers, saying they only release user information in response to a court order. Facebook has revealed that, in the last six months of 2012, they ha nded over the private data of between 18,000 and 19,000 users to law enforcement of all types -- including local police and federal agencies, such as the FBI, F ederal Marshals and the NSA. Massive amounts of raw Internet traffic Much of the world s Internet traffic passe s through the U.S. even when the sender and receiver are both outside the countr y. A recently revealed presentation slide notes the U.S. s central role in interne t traffic and suggests domestic taps can be used to monitor foreign targets. A w histleblower claimed that he helped install a network tap in an AT&T facility in San Francisco on NSA orders in 2003, and a leaked document mentions other cable s. An unknown fraction of the intercepted data is stored in massive databases in case it is useful in the future. The stored data includes bulk "metadata" which details who connected with whom for every intercepted transmission with at leas

t one end outside the U.S. It also includes the actual content of communications for a smaller number of people. Because there is no automatic way to separate domestic from international commun ications, this program also captures some amount of U.S. citizens purely domestic internet activity, such as emails, social media posts, instant messages, the si tes you visit and online purchases you make. The contents of an unknown number of phone calls There have been several reports that the NSA records the audio contents of some phone calls and a leaked docume nt confirms this. This reportedly happens on a much smaller scale than the program s above, after analysts select specific people as targets. Calls to or from U.S. p hone numbers can be recorded, as long as the other end is outside the U.S. or on e of the callers is involved in "international terrorism". There does not seem t o be any public information about the collection of text messages, which would b e much more practical to collect in bulk because of their smaller size. The NSA has been prohibited from recording domestic communications since the pas sage of the Foreign Intelligence Surveillance Act but at least two of these prog rams -- phone records collection and Internet cable taps -- involve huge volumes of Americans data. Does the NSA record everything about everyone, all the time? No. The NSA routinely obtains and stores as much as it can of certain types of i nformation, such as the metadata from telephone calls made in the U.S. (but not their content). For many years it also collected internet metadata in bulk, deta iling who talked to whom both within and outside the U.S. The Obama administrati on says that program was stopped in 2011 due to "operational and resource reason s," but restarted in December 2012 with the restriction that one end had to be o utside the U.S. The NSA intercepted and stored 500 billion records of such "oneend foreign" internet metadata in 2012. We don't know how or for how long, internet metadata ted traffic for 3 much of the actual content of internet messages the NSA stores but the agency works closely with Britain's GCHQ which stores information for 30 days and the entire content of all intercep days.

It is also possible for the NSA to collect more detailed information on specific people, such as the actual audio of phone calls and the entire content of email accounts. NSA analysts can submit a request to obtain these types of more detai led information about specific people. Watching a specific person like this is called "targeting" by the Foreign Intell igence Surveillance Act, the law which authorizes this type of individual survei llance. The NSA is allowed to record the conversations of non-Americans without a specific warrant for each person monitored, if at least one end of the convers ation is outside of the U.S. It is also allowed to record the communications of Americans if they are outside the U.S. and the NSA first gets a warrant for each case. It s not known exactly how many people the NSA is currently targeting, but according to a leaked report the NSA intercepted content from 37,664 telephone n umbers and email addresses from October 2001 to January 2007. Of these, 8% were domestic: 2,612 U.S. phone numbers and 406 U.S. email addresses. How the NSA actually gets the data depends on the type of information requested. If the analyst wants someone's private emails or social media posts, the NSA mu st request that specific data from companies such as Google and Facebook. Some t echnology companies (we don't know which ones) have FBI monitoring equipment ins talled "on the premises" and the NSA gets the information via the FBI's Data Int ercept Technology Unit. The NSA also has the capability to monitor calls made ov er the Internet (such as Skype calls) and instant messaging chats as they happen

. For information that is already flowing through Internet cables that the NSA is monitoring, or the audio of phone calls, a targeting request instructs automatic systems to watch for the communications of a specific person and save them. It s important to note that the NSA probably has information about you even if you aren t on this target list. If you have previously communicated with someone who has been targeted, then the NSA already has the content of any emails, instant m essages, phone calls, etc. you exchanged with the targeted person. Also, your da ta is likely in bulk records such as phone metadata and internet traffic recordi ngs. This is what makes these programs mass surveillance, as opposed to traditiona l wiretaps, which are authorized by individual, specific court orders. What does phone call metadata information reveal, if it doesn t include the conten t of the calls? Even without the content of all your conversations and text messages, so-called m etadata can reveal a tremendous amount about you. If they have your metadata, the NSA would have a record of your entire address book, or at least every person y ou ve called in the last several years. They can guess who you are close to by how often you call someone, and when. By correlating the information from multiple people, they can do sophisticated network analysis of communities of many differen t kinds, personal or professional -- or criminal. Phone company call records reveal where you were at the time that a call was mad e, because they include the identifier of the radio tower that transmitted the c all to you. The government has denied that it collects this information, but for mer NSA employee Thomas Drake said they do. For a sense of just how powerful loc ation data can be, see this visualization following a German politician everywhe re he goes for months, based on his cellphone s location information. The type of data can be used to discover the structure of groups planning terror ism. Starting from a known "target" (see above), analysts typically reconstruct the social network "two hops" out, examining all friends-of-friends in the searc h for new targets. But metadata is a sensitive topic because there is great pote ntial for abuse. While no one has claimed the NSA is doing this, it would be pos sible to use metadata to algorithmically identify, with some accuracy, members o f other types of groups like the Tea Party or Occupy Wall Street, gun owners, un documented immigrants, etc. An expert in network analysis could start with all o f the calls made from the time and place of a protest, and trace the networks of associations out from there. Phone metadata is also not anonymous in any real sense. The NSA already maintains a database of the phone numbers of all Americans for use in determining whether someone is a U.S. person (see below), and there are several commercial number-to-n ame services in any case. Phone records become even more powerful when they are correlated with other types of data, such as social media posts, local police re cords and credit card purchase information, a process known as intelligence fusi on. Does the NSA need an individualized warrant to listen to my calls or look at my emails? It s complicated, but not in all cases. Leaked court orders set out the "minimizat ion" procedures that govern what the NSA can do with the domestic information it has intercepted. The NSA is allowed to store this domestic information because of the technical difficulties in separating foreign from domestic communications when large amounts of data are being captured. Another document shows that individual intelligence analysts make the decision t o look at previously collected bulk information. They must document their reques

t, but only need approval from their "shift coordinator." If the analyst later d iscovers that they are looking at the communications of a U.S. person, they must destroy the data. However, if the intercepted information is reasonably believed to contain evidenc e of a crime then the NSA is allowed to turn it over to federal law enforcement. Unless there are other (still secret) restrictions on how the NSA can use this d ata this means the police might end up with your private communications without ever having to get approval from a judge, effectively circumventing the whole no tion of probable cause. This is significant because it is not always possible to determine whether someo ne is a U.S. person before looking at their data. For example, it s not usually po ssible to tell just from someone s email address, which is why the NSA maintains a database of known U.S. email addresses and phone numbers. If the NSA does not h ave specific information about someone, that person is presumed to be a non-United States person. Also, the NSA is allowed to provide any of its recorded information to the FBI, if the FBI specifically asks for it. Is all of this legal? Yes, assuming the NSA adheres to the restrictions set out in recently leaked cou rt orders. By definition, the Foreign Intelligence Surveillance Court decides wh at it is legal for the NSA to do. But this level of domestic surveillance wasn t a lways legal, and the NSA's domestic surveillance program has been found to viola te legal standards on more than one occasion. The NSA was gradually granted the authority to collect domestic information on a massive scale through a series of legislative changes and court decisions over the decade following September 11, 2001. See this timeline of loosening laws. Th e Director of National Intelligence says that authority for PRISM programs comes from section 702 of the Foreign Intelligence Surveillance Act and the Verizon m etadata collection order cites section 215 of the Patriot Act. The author of the Patriot Act disagrees that the act justifies the Verizon metadata collection pr ogram. The NSA's broad data collection programs were originally authorized by President Bush on October 4, 2001. The program operated that way for several years, but i n March 2004 a Justice Department review declared the bulk internet metadata pro gram was illegal. President Bush signed an order re-authorizing it anyway. In re sponse, several top Justice Department officials threatened to resign, including acting Attorney General James Comey and FBI director Robert Mueller. Bush backe d down, and the internet metadata program was suspended for several months. By 2 007, all aspects of the program were re-authorized by court orders from the Fore ign Intelligence Surveillance Court. In 2009, the Justice Department acknowledged that the NSA had collected emails a nd phone calls of Americans in a way that exceeded legal limitations. In October 2011, the Foreign Intelligence Surveillance Court ruled that the NSA violated the Fourth Amendment at least once. The Justice Department has said tha t this ruling must remain secret, but we know it concerned some aspect of the "m inimization" rules the govern what the NSA can do with domestic communications. The Foreign Intelligence Surveillance Court recently decided that this ruling ca n be released, but Justice Department has not yet done so. Civil liberties groups including the EFF and the ACLU dispute the constitutional ity of these programs and have filed lawsuits to challenge them. How long can the NSA keep information on Americans?

The NSA can generally keep intercepted domestic communications for up to five ye ars. It can keep them indefinitely under certain circumstances, such as when the communication contains evidence of a crime or when it s foreign intelligence infor mation, a broad legal term that includes anything relevant to the conduct of the f oreign affairs of the United States. The NSA can also keep encrypted communications indefinitely. That includes any i nformation sent to or from a secure web site, that is, a site with a URL startin g with "https". Does the NSA do anything to protect Americans privacy? Yes. First, the NSA is only allowed to intercept communications if at least one end of the conversation is outside of the U.S. -- though it doesn't have to dist inguish domestic from foreign communication until the "earliest practicable poin t" which allows the NSA to record bulk information from internet cables and sort it out later. When the NSA discovers that previously intercepted information be longs to an American, it must usually destroy that information. Because this det ermination cannot always be made by computer, this sometimes happens only after a human analyst has already looked at it. The NSA also must apply certain safeguards. For example, the NSA must withhold t he names of U.S. persons who are not relevant to ongoing investigations when the y distribute information -- unless that person s communications contain evidence o f a crime or are relevant to a range of national security and foreign intelligen ce concerns. Also, analysts must document why they believe someone is outside of the U.S. whe n they ask for addition information to be collected on that person. An unknown n umber of these cases are audited internally. If the NSA makes a mistake and disc overs that it has targeted someone inside the U.S., it has five days to submit a report to the Department of Justice and other authorities. What if I m not an American? All bets are off. There do not appear to be any legal restrictions on what the N SA can do with the communications of non-U.S. persons. Since a substantial fract ion of the world s Internet data passes through the United States, or its allies, the U.S. has the ability to observe and record the communications of much of the world s population. The European Union has already complained to the U.S. Attorne y General. The U.S. is hardly the only country doing mass surveillance, though its program is very large. GCHQ, which is the British counterpart to the NSA, has a similar surveillance program and shares data with the NSA. Many countries now have some sort of mass internet surveillance now in place. Although passive surveillance i s often hard to detect, more aggressive governments use intercepted information to intimidate or control their citizens, including Syria, Iran, Egypt, Bahrain a nd China. Much of the required equipment is sold to these governments by America n companies.