The consensus is clear that spying on innocent Americans section 215 of the Patriot Act is flatly illegal. The Center for Democracy and Technology said it, Christopher Sprigman and I said it, Laura Donohue said it, Judge Richard Leon said it, the Privacy and Civil Liberties Oversight Board (PCLOB) said it, Sprigman and I said it again.
So far, less attention has been paid to the legality—and wisdom—of mass surveillance under section 702 of the FISA Amendments Act (FAA), codified at 50 USC 1881a. Section 702 is the statutory authority for the PRISM program, which involves warrantless collection of communications contents via targeting non-U.S. individuals or entities reasonably believed to be located abroad. The USA Freedom Act would strengthen and impose additional restrictions on section 702 surveillance, but would not end the dragnet. Meanwhile, a report from the New America Foundation recently took a serious look at the efficacy of 702 in counterterrorism. Researchers concluded that section 702 is less valuable than people may have assumed, finding that section 702 collection played a role in only 4.4 percent of examined terrorism cases. In a few months, PCLOB plans to issue a report on section 702 collection.
So it’s a great time to take a serious look at reforming section 702. This post is the first in a series where I’ll explain the law, PRISM, and the ways in which intelligence agencies are using and abusing this collection authority. In the end, I’ll make a series of recommendations for how we might begin to reform 702.
LEGAL BACKGROUND
Section 702 authorizes warrantless acquisition of communications—including Americans’ communications—if at least one party to the message is overseas, and the target—that is the person or entity about which the government wants information—is a non-U.S. person.
When intelligence officials accurately describe the law, they do not say this. Rather, they say that the law allows them to target non-US persons reasonably believed to be abroad in order to collect foreign intelligence information. That’s true, but it encourages the false belief that only non-citizens are affected by section 702 collection. Before the Snowden disclosures, government surveillance lawyers like myself were in an ongoing “yes you do—no we don’t” argument with the intelligence agencies about what section 702 authorized. People who knew better used careful language to imply the legal tool had nothing to do with Americans and that if Americans were affected, it was only rarely. Thanks to Snowden, we are no longer pretending the Emperor has on clothes.
So let’s be clear:
While section 702 requires a non-US entity be the target of surveillance, anyone who communicates with agents of the target, or has foreign intelligence information about the target, may be monitored. In sum, under this law, the government:
- MAY warrantlessly acquire Americans’ foreign to foreign or one-end US communications to, from or about the target; and
- MAY warrantlessly acquire Americans’ domestic communications, so long as the acquisition was unintentional.
FACTUAL BACKGROUND
Capturing Americans’ one-end-foreign communications is part and parcel of section 702. So, how many American messages does the NSA collect under this legal authority? According to a newly declassified 2011 FISA court opinion by Judge John Bates, the NSA obtained approximately 250 million communications under section 702 that year. Most of those messages, 91%, came from service providers like Google, Yahoo! and Microsoft, via PRISM. The remainder are vacuumed off the fiber optic backbone of the Internet—upstream collection.
When conducting upstream collection, NSA’s systems don’t always pull single messages; rather, they regularly capture what the agency, with characteristic opacity, refers to as “Internet transactions.” An “Internet transaction” may be comprised of a single message – an “SCT”, in NSA-speak. But Internet transactions often contain multiple messages – the agency refers to this bundle of messages as an “MCT”. If only one message in an MCT is responsive to the NSA’s targeting terms, the NSA devices nonetheless pull the entire package of messages into the NSA databases. Further, MCTs can contain messages that have nothing to do with foreigners or foreign intelligence. NSA’s internal auditing, done at Judge Bates’ version of gunpoint, put the number of improperly collected wholly domestic American messages at approximately 56,000 that year.
But how many one-end-foreign communications are lawfully swept up in section 702 collection? We do not know, because the NSA refuses to count it. Senator Wyden has repeatedly asked both Director of National Intelligence James Clapper and NSA Director General Keith Alexander:
- Have any entities made any estimates — even imprecise estimates — about how many US communications have been collected under section 702 authorities?
- Is it possible for the intelligence community to estimate the order of magnitude of this number? (For example, is it closer to 100, or 100,000, or 100 million?)
- To your knowledge, have any wholly domestic communications been collected under Section 702 authorities?
He has never received a response.
PROBLEMS WITH SECTION 702
In an earlier post, I highlighted some of the pernicious results of section 702:
- Americans’ communications with targets overseas are subject to warrantless interception. Once those communications are collected, current rules allow the NSA to search the trove for U.S. person identifiers, which Senator Ron Wyden has referred to as the “back door searches loophole”.
- The non-U.S. targets include regular people, not just those who are agents of foreign powers. While analysts provide their foreign intelligence purpose when selecting the target, the rationale is just one short sentence.
- By untethering surveillance from facilities that the target uses, the FAA greatly increased the opportunity for the NSA to collect information about rather than just to or from the target. As an example, if I monitor a network for “Jennifer Granick” and Jennifer Granick uses that network, I’ll get her communications, and maybe some messages about her. If I can monitor facilities “Jennifer Granick” doesn’t use, even accurate selectors will pull messages about her.
That last one might sound ok if the target is a known terrorist. But the definition of foreign intelligence is far broader than that, and includes information related to (A) the national defense or the security of the United States; or (B) the conduct of the foreign affairs of the United States. So, section 702 allows collection of what we might say about NSA targets like al Qaeda—or even Iran, France, Wikileaks, Petrobras, the Institute of Physics at the Hebrew University of Jerusalem, UNICEF, Medicines du Monde, or any other entity that helps the U.S. government “understand economic systems and policies, and monitor anomalous economic activities”. The government has absolutely no legitimate business listening in on anyone’s conversations about these matters.
[By the way, I support public disclosure of the identities of these controversial NSA targets. Knowing who the NSA thinks is legitimate to spy on gives us a much clearer idea of the topics they believe justify spying on Americans—under 702 or otherwise—as well.]
In fact, section 702 endangers U.S. person privacy far beyond that of any other surveillance authorization.
- Any number of individuals may be intentionally targeted as a result of a single FAA authorization and need not be specifically identified. Therefore, more Americans are likely to be monitored since an undefined and evolving list of individuals may be believed to be agents of approved targets, and those individuals may talk with Americans;
- No wrongdoing required on the part of the target, who need not even be an agent of a foreign power as under traditional FISA;
- Intelligence agents may monitor any facility, even if there is no connection to the target. This vastly expands the opportunities for “about” collection of communications between wholly innocent and uninvolved people;
- Minimization obligations under the FAA are far weaker than even those under traditional FISA because the FISA court has less authority to authorize, implement and oversee compliance with the rules;
- Under section 702, there is no judicial review of the government’s justification for the surveillance or identification of targets;
- The government makes no notification to individuals incidentally or mistakenly monitored; and
- It is very difficult to learn about, or to impose consequences, for violating the FAA.
CURRENT REFORM PROPOSALS
The USA FREEDOM Act is the lead proposal to reform section 702. Currently, USA FREEDOM would:
- Close the “back door searches” loophole wherein government officials warrantlessly search communications databases using U.S. person selectors;
- Prohibit the government from collecting communications that are “about the target” in non-terrorism contexts;
- Strengthen the prohibition against “reverse targeting,” meaning targeting a foreigner in order to warrantlessly acquire the communications of an American who is known to be communicating with that foreigner; and
- Place stronger statutory limits on the use of unlawfully collected information.
These proposals are an important start, but compared with the list of reasons why section 702 poses such danger to privacy, it is not enough.
TOWARDS A LIST OF RECOMMENDATIONS
- As Professor Christopher Sprigman and I argued in the New York Times, PRISM is designed to produce at least 51 percent confidence in a target’s “foreignness” — as John Oliver of “The Daily Show” put it, “a coin flip plus 1 percent.” We believe that the NSA intentionally designed PRISM so that it is a certainty it will regularly acquire information it is not allowed to have. Whether or not you agree with us or not that this is illegal, the fact remains that statistically the NSA is getting an immense amount of information it is not allowed to have, even under the terrifyingly broad auspices of section 702. That must be changed.
- Another fundamental problem with section 702 is that it authorizes targeting and monitoring of average citizens of other countries for reasons that are not necessarily related to the security of the United States. Targets need only be non-U.S. persons, and communications which are not purely domestic are fair game. This disregard for other people’s privacy is a terrible idea. Not only does it violate international human rights principles, but—as Sprigman and I wrote back in June—it’s bad for American business and democracy. We can alleviate this problem through reintroducing some or all of the safeguards under traditional FISA, like limiting targets to foreign powers or agents of foreign powers, or limiting collection to facilities that the targets actually use. If we are going to continue to dragnet through foreigners’ communications with each other and with Americans, we might limit the categories of foreign intelligence information for which such a tool is used to counterterrorism and national security, and not for the mere conduct of foreign affairs or collection of economic information.
- Good policy requires public awareness of how many Americans’ communications are swept up in section 702. We should be told that now, and the government should be obligated to do some kind of regular reporting.
- The current proposal would allow “about” collection in terrorism contexts. But innocent people talk about terrorism all the time. We discuss and tell jokes about Osama bin Laden, we wonder about Yemen safe houses and Taliban oppression. We’ve seen no meaningful way that the government distinguishes between these healthy, private conversations, and obtaining meaningful intelligences. Until we do, we should consider completely prohibiting “about the target” collection.
- Back door searches should require at least a Title III warrant. Outside of section 702, the government would not have access to this information concerning Americans without complying with the dictates of the Wiretap Act (or perhaps in some cases traditional FISA), and it should not be able to avoid those protections via a dragnet.
- Similarly, we should consider under what conditions, if any, it is appropriate share communications obtained in a dragnet with the Internal Revenue Service, Drug Enforcement Agency, Alcohol, Tobacco and Firearms, or other law enforcement agencies. If and when such referrals are made, the subjects ought to be notified.
- Minimization should at least meet the standard of traditional FISA if not better.
- People who are incidentally or mistakenly collected on should be notified.
- We need to make it easier to enforce surveillance limitations, for victims of violations to obtain judicial remedies, and for public courts to review the lawfulness of Executive Branch operations.
So far, there has been no robust investigations into the sketchy ways the NSA is implementing section 702 via PRISM and overbroad upstream collection. Nor have we had a good public debate about the dangers of section 702 and how to avoid them. Nor have we talked about the ways privacy is being decimated by the NSA’s overseas collection. Now is the time for the NSA to come clean about what it is doing. Now is the time to have those public conversations. And now is the time to think creatively about enforcing the laws we have implementing reforms to alleviate the problems we’ve learned about.