WASHINGTON — The National Security Agency said Friday that it had halted one of the most disputed practices of its warrantless surveillance program, ending a once-secret form of wiretapping that dates to the Bush administration’s post-Sept. 11 expansion of national security powers.
The agency is no longer collecting Americans’ emails and texts exchanged with people overseas that simply mention identifying terms — like email addresses — for foreigners whom the agency is spying on, but are neither to nor from those targets.
The decision is a major development in American surveillance policy. Privacy advocates have argued that the practice skirted or overstepped the Fourth Amendment.
The change is unrelated to the surveillance imbroglio over the investigations into Russia and the Trump campaign, according to officials familiar with the matter. Rather, it stemmed from a discovery last year that N.S.A. analysts had violated rules imposed by the Foreign Intelligence Surveillance Court to limit access to certain messages the agency captured as a byproduct of the practice.
Senator Ron Wyden, an Oregon Democrat who sits on the Intelligence Committee and has long been an outspoken critic of what he saw as N.S.A. overreach, hailed the decision and said he would offer legislation to codify the new limit in federal law.
“This change ends a practice that allowed Americans’ communications to be collected without a warrant merely for mentioning a foreign target,” Mr. Wyden said. “For years, I’ve repeatedly raised concerns that this amounted to an end run around the Fourth Amendment. This transparency should be commended.”
The government had argued that the practice was important for fighting terrorism, saying it could uncover new suspects it might otherwise never find.
The legal issue behind the N.S.A.’s decision, first reported Friday by The New York Times and later acknowledged by the agency, is rooted in the complicated technical steps the agency takes to conduct surveillance.
Under one aspect of the warrantless surveillance program, which Congress legalized with the FISA Amendments Act of 2008, telecommunications companies like AT&T and Verizon give the N.S.A. copies of internet messages that cross the international border and contain a search term that identifies foreigners overseas the government has targeted for surveillance, such as email addresses. The agency calls this “upstream” collection.
Until 2013, it was not publicly known that the equipment installed on network switches was systematically sifting all cross-border internet traffic and sending to the N.S.A. messages containing such a targeted email address anywhere — not just emails to or from targets, but also between other people who talk about them.
The Times first reported the existence of this practice, so-called “about” surveillance, amid the fallout from the leaks by the former intelligence contractor Edward J. Snowden, based on a clue in one of the documents he disclosed and source reporting. Going forward, the agency will receive and store only intercepted messages that were directly sent to or from a target.
On Friday, Mr. Snowden wrote on Twitter that “the truth changed everything.”
He also called the change “likely the most substantive of the post-2013 NSA reforms, if the principle is applied to all other programs.” However, there was no indication that the N.S.A. intended to cease this type of collection abroad, where legal limits set by the Constitution and the Foreign Intelligence Surveillance Act largely do not apply.
In its statement, the N.S.A. said its failures to comply with the intelligence court rules, which it characterized as “inadvertent,” prompted it to report the problems to the court.
The court issued two short-term extensions of the program rather than reauthorizing it for a full year when a November 2015 order approving it expired. During those extensions, the agency grappled with how it could continue collecting information on surveillance targets without breaking the rules. Ultimately, it said, it decided to limit its upstream internet collection to messages sent directly to or from foreign intelligence targets, forgoing those that are merely about them.
A senior intelligence official said that problems had arisen when analysts queried the raw repository of emails gathered via the upstream program looking for information about Americans. The inquiries were conducted for legitimate intelligence purposes, the official said, but under rules imposed by the intelligence court, analysts were not supposed to search for Americans’ information within that data set.
Analysts are still, however, permitted to search for an American’s information within another repository of emails gathered through the warrantless surveillance program’s so-called Prism or “downstream” system, which gathers emails of foreign targets from providers like Gmail and Yahoo Mail. That system does not collect “about” communications.
The change announced Friday eliminated the factor that made upstream collection more sensitive than Prism collection, and the agency said it was purging its repository of messages it had previously gathered under the old rules. The official said the intelligence court’s presiding judge, Judge Rosemary M. Collyer, has now authorized the agency to use Americans’ identifiers to query the upstream internet repository, too, for future intelligence investigations.
Privacy advocates refer to this practice as the “backdoor search loophole” and want Congress to require the government to obtain a warrant to search for Americans’ incidentally collected information without the warrantless surveillance repository.
The FISA Amendments Act — which permits the government to collect from American companies the messages of noncitizens abroad without a warrant, even when they communicate with Americans — is set to expire at the end of this year.
Privacy-minded lawmakers have been discussing using that deadline to push for new limits on the program as part of legislation extending it.
However, the delay in obtaining the court’s annual reauthorization of the program might extend the effective deadline by a few months. An official said Judge Collyer’s orders, issued this week after the upstream problem was resolved, reauthorized the program for a year. That might permit it to continue to operate lawfully until around April 26, 2018, even if Congress fails to enact a new bill by New Year’s Eve.
The ending of “about” collection is a significant change for the N.S.A.’s post-Sept. 11 surveillance using the internet switches of American telecommunications partners. Because of how the internet works, that spying works differently from traditional phone wiretapping, raising novel legal issues.
When President George W. Bush’s administration created the Stellarwind surveillance program in 2001, it did not have to wrestle with issues such as the lawfulness of “about” collection, because the program bypassed statutes and court oversight.
But in its second term, when the administration transitioned the program from one based on a raw assertion of executive power to one rooted in congressional authorization and subject to the intelligence court’s review, it convinced the judges that “about” collection complied with the new law and the Fourth Amendment.
For example, in classified court filings disclosed via a Freedom of Information Act lawsuit by The Times, the government told the intelligence court that such “about” communications were an important tool in fighting terrorism.
“Under the proposed method of conducting electronic surveillance, then, N.S.A. will be in a position not only to learn information about the activities of its targets, but also to discover information about new potential targets that it may never have otherwise acquired,” a 2007 declaration from an agency official explained.
In 2011, however, the N.S.A. told the intelligence court that a byproduct of “about” collection was resulting in the agency’s collection of tens of thousands of purely domestic emails each year. Later that year, Judge John D. Bates, then the presiding judge on the intelligence court, ruled in secret that the practice violated the Fourth Amendment.
The problem stemmed from the fact that internet companies sometimes bundled many messages together and transmitted them as a unit. If even one of them had a foreign target’s email address somewhere in it, all of them were collected and went into a repository that analysts queried while writing intelligence reports.
In October 2011, after the agency proposed the added safeguard of putting the bundled messages in a special database that analysts would generally not be able to access, Judge Bates permitted the N.S.A. to continue the practice.
Although one official initially suggested that the more recent problem was that analysts had improperly accessed that special database, a senior intelligence official clarified that the problem instead stemmed from querying for Americans’ information in upstream data generally.
In its statement, the N.S.A. said that limitation still remained the case, but that it had “determined that in light of the factors noted, this change is a responsible and careful approach at this time.
After the Snowden disclosures, the Privacy and Civil Liberties Oversight Board, an independent watchdog agency, conducted a study of the warrantless surveillance program. Intelligence officials told the board that under current technology, the agency could not halt “about” collection without also losing some messages to or from the targets themselves.