The members of the President’s Review Group on Intelligence and Communications Technologies will appear on Tuesday, January 14th for hearings before the Senate Judiciary Committee. (Just Security will be live tweeting the event.) Below, we identify 10 lines of inquiry to help promote a robust and productive discussion. We hope the list might be useful in shaping the questions that Senators ask Review Group members, the topics that Review Group members raise of their own accord, and the avenues that the Fourth Estate pursues in reporting and analyzing the issues. The list is not comprehensive. For instance, we do not consider some of the more obvious questions that close observers already expect will be raised in the hearings. Instead, we drill down on a selection of topics that we believe would benefit from further exploration. Our list is informed, in part, by Just Security‘s earlier coverage of the Review Group’s Report.
1. Review Group member Michael Morell has stated that the Section 215 metadata program “has the potential to prevent the next 9/11” (emphasis added). And Group member Geoffrey Stone has stated that “the section 215 telephony meta-data program had not proved necessary to the prevention of any planned terrorist attack since the program’s inception in 2006. At the same time, though, it is certainly possible to imagine a situation in which the section 215 program might produce highly valuable information” (emphasis added).
“Potential” and “certainly possible” are relatively vague terms. More precisely speaking, how much weight should Congress place on the likelihood of the program’s helping to prevent future terrorist attacks?
Additionally, how successful can the program be in the future if it generally includes only major telecommunications carriers such as Verizon and AT&T but does not include many of the smaller carriers – e.g., if it covers “far lower” than 75 percent of all phone calls? [Note: the Report states that the current 215 program collects "only a small percentage of the total telephony meta-data held by service providers."]
2. Review Group member Michael Morell recently wrote that he would expand the Section 215 metadata program to include all telephone calls and emails, but he added “[t]his is a personal view; it is not something the review group opined on or even discussed.” It was unclear whether he meant that the Group did not discuss these ideas in its Report or that these ideas did not even arise in the Group’s internal deliberations.
Did the Group consider such options? If not, why not? What is the opinion of other Group members about the idea of expanding the Section 215 program to include all telephone calls or to include email?
3. The Review Group recommends that the metadata for the Section 215 program be held by private companies. Some commentators have suggested that this decentralization of the metadata would come at the cost of slowing down investigations. The Report acknowledges that “there might be problems in querying multiple, privately held data bases simultaneously and expeditiously,” but the Report adds, “it is likely that those problems can be significantly reduced by creative engineering approaches.”
How much can creative engineering approaches reduce the time it might take the NSA to retrieve the information? What do Group members think about the statement by Princeton University Professor Edward Felten that “a simple electronic interface” between the NSA and telephone companies “could perform the government’s three-hop analysis essentially instantaneously—in a matter of seconds or less.” Is that realistic?
4. With respect to the Review Group’s recommendation that the storage of bulk telephony metadata by the government be transferred to storage by private providers or third parties, it has been argued that storing the metadata in private hands would (i) make the database more vulnerable to privacy breaches by hackers, foreign governments, etc. and (ii) be subject to less effective oversight by the Executive Branch, the FISC, and Congress.
How persuasive are these concerns and how might Congress and the Executive ensure data security if the database were housed by a private party? How much of these concerns are potentially allayed by the fact that telephony metadata is already housed by telephone companies? What level of risk to individuals’ privacy would be entailed by the recommendation compared to the status quo — either due to the longer period of time that telephone companies would be required to store the data or due to the potential expansion of the metadata program to include more telephone carriers than the present system?
5. While the Review Group does recommend that storage of certain data should be kept by private providers or a third party, the lion’s share of the Report’s recommendations suggest that how the government uses the data may raise more fundamental questions. Nevertheless, the Report provides little in the way of specific guidance on what the appropriate standards for how the government searches and uses the data to which it has access. Law Professors David Cole and Marty Lederman have identified some of these open questions, including (i) how many “hops” should the government be able to perform from the “seed” number?; (ii) when should the government be able to put a name to number?; and (iii) when can names or numbers be used in a criminal investigation?
Did the Group consider or discuss what the elements of the rules for searches and investigations might be? Do members of the Group have views on which institution should establish the appropriate standards of how the databases are mined? Congress? The FISC? Should the FISC play a greater role in overseeing the administration of its search orders to ensure compliance with these standards?
When investigations reveal telephone numbers in the first-, second-, or third-round of “hops,” should the government be entitled to analyze those numbers without judicial oversight or substantive constraints? What should be the standard for conducting further investigations of those numbers, or any identified phone customers, within the metadata collection itself or other mass databases?
6. In Chapter IV of the Report, the Review Group recommends several reforms for foreign intelligence surveillance directed at non-US persons. These recommendations make specific references to surveillance authorized under Section 702 of FISA. The recommendations intend to apply as well to “any other authority that authorizes surveillance of non-US persons”–a reference, presumably, to surveillance activities under E.O. 12333. The Group’s discussion and analysis, however, focuses only on Section 702 authorities, despite the wealth of overseas foreign intelligence surveillance activities (e.g., here and here) that occur under 12333 authorities.
What review did the Group specifically perform of surveillance activities under 12333? What particular recommendations would the members of the Review Group propose for surveillance programs under 12333?
Also, Chair of the Senate Intelligence Committee Diane Feinstein has publicly stated that Congress performs little oversight of surveillance activities performed under 12333. Would the Review Group recommend Congress perform greater oversight of these programs? And if so, what specific oversight mechanisms would be most appropriate and effective?
7. The Report suggests that Section 702 authority is limited beyond what many commentators have thought, because it allows the NSA to intercept communications of non-US persons outside the United States “only if it reasonably believes that a particular ‘identifier’ (for example, an e-mail address or a telephone number) is being used to communicate foreign intelligence information related to such matters as international terrorism, nuclear proliferation, or hostile cyber activities.” The statute itself (50 U.S.C. §1881a), however, neither imposes the limitation of such “identifiers” nor is “foreign intelligence information” narrowly circumscribed to certain specific categories of information, as it is described in the Report. And from documents leaked by Edward Snowden, we have learned that the specific “identifiers” requirement of 702 is not necessarily limited to an particular individual account, such as an email address or phone number, but could include ranges of IP addresses. Furthermore, the NSA is presumably selecting those identifiers only after first collecting a very large pool of communications. [A analysis of this issue in the Report by Julian Sanchez is available here.]
What led the Review Group to conclude that Section 702 is so limited? Are these self-imposed limits from within the Executive Branch? Most importantly, what are Review Group members’ understanding of the full scope of “particular identifiers” that are subject to interception under Section 702?
8. Much (if not most) of the report’s focus is directed towards the devil we know–surveillance activities under Section 215 of the PATRIOT Act and Section 702 of FISA. While much less attention, if any, is given to other programs yet to be disclosed by the government. For example, as previously mentioned in question 6 above, none of the Review Group’s analysis or recommendations were specific to surveillance activities under 12333 authorities. On one level, this is hardly surprising, given that the Report could not be expected to disclose classified information. Nevertheless, this deficiency remains notable, given the vast amount of surveillance that occurs outside Section 215 and Section 702 authorities.
Is this lack of attention in the Report to these undisclosed programs reflective of which activities and programs the Group actually reviewed? What review, if any, of undisclosed surveillance programs did the Review Group perform? What specific inquiries did the Review Group make with respect to these programs and did the NSA (or other appropriate executive branch agency) adequately respond to these inquires so that the Review Group could sufficiently review these programs? Does the Group believe that the problems identified in its report have only arisen in the specific contexts of the disclosed programs? Are any of the recommendations framed with an eye toward other undisclosed programs—and/or toward producing more wholesale changes to U.S. intelligence gathering operations?
9. In discussing the Report’s recommendations concerning non-US persons, Review Group member Cass Sunstein said, “we think it’s very important to affirm that the use of any surveillance will never be done to target people’s political convictions, their religious beliefs.” The Report, however, might be read to suggest that such targeting is fine, as long as religious belief (or political opinion) is just one of multiple criteria. In its recommendations, for example, the Report repeatedly includes as an explicit qualification that “the government should not target a non-US person outside the United States for surveillance solely because of his political or religious activity or expression.” Presumably, this recommendation would seek to extend, by statute or Executive action, current statutory protections for US persons (see e.g., 50 U.S.C. §1861(a)(2)(B), prohibiting using Section 215 orders to target US persons solely based on activities protected by the First Amendment) to non-US persons located outside the United States.
How can the recommendation be squared with the principle that Professor Sunstein identified? That is, how does one reconcile: (a) a principle prohibiting targeting people on the basis of an illicit criterion and (b) a recommendation allowing the government to target individuals on that basis of the criterion as long as it is not the sole criterion? Would the same logic that reconciles these two things apply to targeting on the basis of race and ethnicity? Does the Group’s recommendation not go far enough and should political and religious views be expressly excluded from consideration in all targeting decisions, both for US persons and non-US persons alike? Or, on the other hand, is something wrong with the construction of the principle?
10. As Review Group member Cass Sunstein stated, “[the Group] didn’t clearly separate the things that would require legislation and the things that are properly handled by the executive but certainly elements … could be done within the executive branch.”
Do members of the Group have a view on which major recommendations would be properly, or sufficiently, handled by the Executive Branch alone? What criteria should be used in making such determinations?