Be clear on what this is, and isn’t. It is a positive step, and has probably been taken because of a high-level political decision, related to the recent revelations about misuse of NSA data during the Obama administration.
Doing this does somewhat curtail the opportunity intel analysts will have to run searches on Americans, undetected. The ability to do that is how the Obama White House got away with running searches of NSA data on Trump and his associates.
What this move is not is a shutdown of the potential for those end-user searches to resume. The original, raw data will still be made available from the telecom providers. It’s the searches at the “collection” stage, which are essentially screenings of the data, or a filtering process to decide what to retain, that will be done by NSA on a stricter basis. That should mean less of the raw data will be retained in the big database. (More on that below.)
Screening on the stricter basis will still require enforcement, as will policies on end-user searches. And enforcement of the data-handling policies within the intel community is where the breakdown has always been anyway.
But it’s good news that NSA is deleting a large amount of already-stored data.
[E]ven though the Agency was legally allowed to retain such “about” information previously collected under Section 702 [of the Foreign Intelligence Surveillance Act], the NSA will delete the vast majority of its upstream internet data to further protect the privacy of U.S. person communications.
The already-collected data has been held in storage, by rule, for a five-year period. Deleting the “about” segment of the data — the segment of raw data that has been retained because it contains information “about” national security targets, regardless of whom the communication is from or to — will remove five years’ worth of temptation. So that’s a good thing.
If that type of data is no longer screened into retention, that’s good as well. We can hope that under the new administration, there will be vigilance in ensuring that this new restrictiveness about data screening and retention is enforced.
Regarding what the “about” distinction is, NSA explains it straightforwardly in its official announcement (last link above):
Section 702, set to expire at the end of this year, allows the Intelligence Community to conduct surveillance on only specific foreign targets located outside the United States to collect foreign intelligence, including intelligence needed in the fight against international terrorism and cyber threats.
NSA will no longer collect certain internet communications that merely mention a foreign intelligence target. This information is referred to in the Intelligence Community as “about” communications in Section 702 “upstream” internet surveillance. Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target.
NSA’s announcement points out that the agency self-reported previous violations of the data-handling policies that are supposed to protect Americans from having warrantless searches run on their digital comms. NSA has indeed self-reported these problems, and they have been addressed by FISA supervisors and the intel community with policy changes. (See the eye-bleedingly comprehensive but very valuable information collated here.)
Notably, these iterative processes didn’t stop the National Security Council under Obama from running improper searches on Trump and his associates. Nor will NSA’s new policy stop that from happening again. It will just make such searches less lucrative (because less raw data is being retained), and perhaps make them stand out more in terms of being detectable when someone is doing them.
Of special note is the point that NSA’s new policy will not mean that there is no personal data on Americans incidentally present in their database. Such data could still be there, even though what’s being retained is held only because it is from or to a “foreign intelligence” target. It may require more ingenuity for end-users to find ways to search for incidentally-retained data on Americans, however.
In terms of the functional dynamics among agencies, it looks like what’s going on here is that the intelligence users — e.g., at CIA, ODNI, DOJ, the NSC — are being put on notice that NSA will be screening less raw data into the database they can run queries on. That being said, it is certain that this move has the approval of DNI Dan Coats and CIA Director Mike Pompeo. Admiral Mike Rogers, who came to NSA from outside the intel community, has never had the visionary concept for boundary-pushing data access held by his predecessor (Army General Keith Alexander), as well as by former DNI James Clapper. My sense about Rogers is that he will intend to faithfully administer the new, stricter basis of “collection”; i.e., screening raw digital comms data more restrictively for retention in the gargantuan NSA database.
But all the same raw data will still be available to NSA from the telecoms exactly as it has been for years now, at least until FISA Section 702 sunsets at the end of 2017. (And probably beyond that, unless Congress does something really unexpected.) So don’t get complacent that the privacy/Fourth Amendment vulnerability for Americans has been fixed.
Scott Shackford at Reason, always bracing on this topic, has an accessible take here.