Today, the Office of the Director of National Intelligence (ODNI) announced that it would stop some of the surveillance it conducts on the telecommunications backbone under authority granted by section 702 of the FISA Amendments Act. That announcement came in the form of a press release, a statement, and was reported in a New York Times article by reporter Charlie Savage.
Wow.
Here’s some background, and some questions Congress and the courts are going to need to answer going forward. (For more information, check out my book, American Spies, or this series of blog posts (one, two, three) by Jadzia Butler and me on section 702.
When conducting surveillance of communications as they travel over fiber optic cables (the “Upstream” program), the NSA has been collecting not just communications to and from foreign intelligence targets, but also about those targets. If the stream of internet packets contains a selector associated with a foreign intelligence target, the NSA has been acquiring the entire “internet transaction” containing that selector. This “about” collection means collection takes place even when the relationship between the communicants and the intended target is attenuated—no one is talking to the target.
Further, about communications can pull unrelated messages into the NSA’s coffers. Using this surveillance technique, the government “tasks” a given selector (such as an email address or phone number) in the stream of internet data flowing through particular network gateways (known as the “internet backbone”). If the stream of internet packets contains the selector, the Upstream program will acquire the entire “internet transaction” containing that selector. Some transactions only include one communication (Single Communications Transactions – SCT’s), while others contain multiple discreet communications (Multiple Communications Transactions – MCT’s). Because of the way the NSA conducts Upstream collection, if any communication within an SCT or MCT is “to,” “from,” or even “about” a tasked selector, the entire transaction is collected. The collection of MCT’s further removes the nexus between the communicants and the intended target because any communication that is embedded within a transaction that happens to include a communication that so much as mentions the targeted selector can get swept up.
Despite the fact that this type of surveillance has been taking place since 2001, and that it was supposed to be regulated and overseen by the Foreign Intelligence Surveillance Court (FISC) since 2008, it was only in 2011 that the NSA acknowledged “about” collection and the MCT problem to the FISC. (The public learned about it after revelations based on documents from whistleblower Edward Snowden.) The FISC judge, John Bates, allowed the collection to go forward despite his initial finding that the collection violated the Fourth Amendment. Judge Bates accepted NSA proposed post-collection usage rules, called minimization procedures. The NSA adopted rules for Upstream surveillance that require it to treat MCTs as a special category. The NSA was supposed to put special procedures in place designed to identify when a communication within an MCT is between American citizens.
MCTs were to be screened for irrelevant information, which must be deleted. No agency but the NSA is supposed to have access to MCTs, not the CIA or the FBI.
Judge Bates likely accepted this band aid despite the constitutional problems because the NSA claimed it was not capable of breaking MCTs down into individual messages, not capable of stopping “about” collection, and insisted that this surveillance capability was protecting the nation from terrorists.
ODNI reports that NSA will no longer collect certain internet communications that merely mention a foreign intelligence target. The NSA will delete the vast majority of its upstream internet data to further protect the privacy of U.S. person communications. Further, the changes in policy followed an in-house review of Section 702 activities in which NSA discovered “several inadvertent compliance lapses.” The public is now waiting for a declassified FISC opinion explaining these issues in more detail.
In other words, today we learned that those 2011 safeguards did not work, the NSA can stop about collection, and that our counterterrorism efforts can live without this massive invasion of privacy.
In other words…Wow.
Here are some questions that the courts and Congress will need to answer, especially since section 702 is due to expire at the end of this year, and Americans must decide whether to renew the program, and if so, with what safeguards in place.
The ODNI press release is unclear about whether or not NSA is ceasing all “about” collection, or just that where one of the communicants is an American. The press release says “the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target.” So, you could read that as both one end foreign and international communication. Or, it could mean stopping collection of only one end foreign, and the word “others” refers to those non-citizens communicating with USPs but not with other foreigners. The statement says “surveillance will now be limited to only those communications that are directly “to” or “from” a foreign intelligence target.” That sounds more comprehensive. However, if ODNI is using “surveillance” to mean electronic surveillance as defined in the FISA then they may still be doing “about” collection on foreign to foreign communications. Word games can make it very hard to understand exactly what official statements mean.
It appears that the NSA now has and maybe has always had a way to filter out Americans’ international communications from Upstream, despite multiple statements to the contrary.
If they can filter statements out, that suggests ODNI can count how many communications in the take are to or from Americans.
You should read “several inadvertent compliance lapses” as “systematic violations of the Fourth Amendment”. Remember that these minimization procedures were required by Judge Bates to ameliorate constitutional violations. Failure to follow those rules is a failure to comply with the Fourth Amendment.
Given the problems that came to light in 2011 and then again now, has section 702 ever been used lawfully?
ODNI admits today that they are using section 702 for “cybersecurity”. That is a topic that the Privacy and Civil Liberties Oversight Board did not study. We do not know anything about how selectors are chosen for cybersecurity, or what the resulting database of information looks like.
While figuring out this problem, the FISC did not let section 702 collection lapse, but extended existing certifications beyond the year expiration period. Under what authority could a FISC judge do this?
NSA is deleting the about collection data they have. That means that they cannot find a way to use it in accordance with the 2011 Bates opinion.
I think this statement marks a change for the better in the way that the ODNI talks about counterterrorism:
NSA previously reported that, because of the limits of its current technology, it is unable to completely eliminate “about” communications from its upstream 702 collection without also excluding some of the relevant communications directly “to or from” its foreign intelligence targets. That limitation remains even today. Nonetheless, NSA has determined that in light of the factors noted, this change is a responsible and careful approach at this time.
Today, the NSA agrees that blindly Collecting It All is not necessarily the right thing to do. Responsible surveillance takes into account civil liberties as well. That is big news indeed.