The Guardian has just released a new bunch of FISA documents relating to the NSA’s PRISM spying program, in particular regarding the circumstances under which it can can collect data on US citizens, and the measures it must take to “minimize” that data.

Until now, the government has insisted that these rules help to ensure that US citizens are protected from unnecessary surveillance. The problem is, this latest leak suggests that’s anything but the case. The two documents, which are said to have been authorized by Attorney General Eric Holder in 2009, reveal how the secret FISA court has apparently approved a number of policies that allow the NSA to make US of intelligence gathered on US citizens, albeit with some limitations.

Glenn Greenwald provides an overview of the document’s contents:

“The top secret documents published today detail the circumstances in which data collected on US persons under the foreign intelligence authority must be destroyed, extensive steps analysts must take to try to check targets are outside the US, and reveals how US call records are used to help remove US citizens and residents from data collection.”

Of particular concern is the weakness and ambiguity of the process undertaken by the NSA to establish whether or not a target is located in the US. According to the documents, the NSA asks a number of questions:

Supposing the target passes that test, the NSA carries out a further examination to be certain of the target’s nationality and location, including checks on their IP and phone number. Should the target fail to pass these tests – meaning he or she is believed to be a US citizen – the NSA still doesn’t necessarily have to delete all of the data its collected. According to Greenwald, the documents explain how the NSA is allowed to:

• Retain data that might pertain to US nationals for up to five years.
• Keep and make use of domestic communications that have been “inadvertently acquired” if they’re believed to if contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;
• Preserve attorney-client communications if these are believed to contain “foreign intelligence information.”
• Access the content of emails and phone calls collected from “US-based machine[s]” or phone numbers, so it can establish if the targets are indeed located within the US, before ceasing any surveillance.

The provision on encrypted communications rings immediate alarm bells – as Ars Technica points out in its own analysis, this means that any US citizen using email encryption or the Tor network for example, “will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person’s communications give rise to a reasonable belief that such person is a United States person.”

In other words, if data is encrypted, the NSA is allowed to assume that those communications might contain some secret information of interest to national security, meaning it can keep this data for longer than the five year “minimization” period prescribed by the documents. In addition, the NSA is allowed to share this information with outside agencies like the CIA, on the understanding that those agencies will carry out their own “minimization” later.

Given the scope of PRISM, it would seem almost unavoidable that large amounts of data from US citizens are not being scooped up by the NSA. In turn, this raises some serious questions about the government’s assurances that the NSA doesn’t intentionally collect data from Americans – maybe it does, maybe it doesn’t – but as The Guardian states, the rules nevertheless “allow the NSA to use US data without a warrant.”