The following is cross-posted from The Classified Section, OpenTheGovernment.org’s new blog on national security secrecy.
The Privacy and Civil Liberties officially released its long-awaited report into Section 702 of FISA yesterday. It has been widely and deservedly panned by civil libertarians: the ACLU, EFF, Center for Democracy and Technology, the Open Technology Institute, the Center for Constitutional Rights, the Constitution Project, Amie Stepanovich, Jennifer Granick, Marcy Wheeler, Liza Goitein, Geoffrey Stone, and more.
From a transparency point of view, the report does provide some new, useful details about how 702 surveillance works–but it leaves crucial questions unanswered, and many of them will remain unanswered even if the government adopts PCLOB’s transparency recommendations.
1. “About” collection does not involve keyword searches of Americans’ emails, but it’s unclear exactly what it does involve
On Monday I discussed “about” collection under section 702, and the possibility that Americans’ communications could end up in the NSA databases for merely sending an email about a surveillance target. The PCLOB report says these fears are based on a misunderstanding of how “about” collection works, and that “selectors may not be key words (such as “bomb” or “attack”), or the names of targeted individuals (“Osama Bin Laden”)” (PDF p. 38; all page number cites for the PCLOB report refer to the page number of the PDF). Rather, selectors are “communications facilities” or “communications identifiers”–“things like phone numbers or emails” (pp. 38, 128).
“Communications facilities” or “communications identifiers” are undefined terms. Using the mild examples of an email address or phone number doesn’t tell the public how broad a facility can be monitored, or give us an idea how much innocent or constitutionally protected information NSA collects.
Granick raises the possibility that “communications facilities” and “communications identifiers” might include a website URL. If so, Americans’ emails might not be intercepted for sending or receiving emails using the keyword “Julian Assange,” but they might still be intercepted for including a link to a Wikileaks document.
2. The FBI and CIA can access and search the NSA’s raw PRISM data with very few restrictions—and PCLOB does not recommend many changes to this
One of the PCLOB report’s most useful, and most alarming revelations is how few limits there are on the CIA’s and FBI’s use of section 702 data, particularly data collected under the PRISM program. The report discloses that:
whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts (p. 64).
FISA’s definition of “foreign intelligence information” is quite broad. It includes not only information about terrorism, proliferation of weapons of mass destruction, or potential attacks and “clandestine intelligence activities” by a foreign power, but also information that the intelligence community regards (for foreigners) as relevant to or (for Americans) necessary to “the national defense or the security of the United States” or “the conduct of the foreign affairs of the United States.” So the PCLOB’s recommendation that agencies be required to provide a written record of why a query is likely to generate “foreign intelligence information” may not provide much substantive protection, even if adopted—though it would be an improvement over the current situation where the CIA can conduct standard-less backdoor metadata searches with no paper trail.
3. We have no idea how many Americans’ communications are intercepted under section 702—and PCLOB does not suggest requiring the government to tell us
How much information any NSA, FBI, or CIA “back door” search turns up on Americans depends on how many Americans’ communications the NSA obtains under section 702. PCLOB’s report acknowledges that neither the Board, nor Congress, nor the Executive Branch knows how many Americans’ information is being collected.
Section 702 enables collection of huge quantities of data on non-U.S. citizens, without any requirement that they be involved in terrorism, agents of a foreign power, or involved in any activity that threatens the United States in any way. A recent Washington Post report on leaked NSA documents demonstrates the breadth of authorized surveillance. The documents show that in 2010, the government requested, and the Foreign Intelligence Surveillance Court granted, authority to target people likely to possess, receive, or communicate information about the activities of 193 countries—many of them U.S. allies—as well as the United Nations, European Union, and many other international organizations.
In 2013, the Report notes, the United States collected information on approximately 89,138 “targets” under section 702 (p. 118). Some targets are individuals, but others are not. According to PCLOB, a foreign government or international terrorist group could qualify as a ‘person’ for purposes of targeting under section 702 (p. 126). By 2011,
the government was annually acquiring over 250 million Internet communications, in addition to telephone conversations. The current number is significantly higher. Even if U.S. persons’ communications make up only a small percentage of this total, the absolute number of their communications acquired could be considerable (p. 121).
PCLOB notes that the scale of “incidental collection” on Americans under 702 “could push the entire program close to the line of constitutional reasonableness,” (p. 14) and “lawmakers and the public do not have even a rough estimate of how many communications of U.S. persons are acquired under Section 702” (p. 152). But it does not suggest that the government be required to provide even a rough estimate. Instead, to provide a “snapshot” of the scope of incidental collection, PCLOB recommends that the NSA annually count the following:
(1) the number of telephone communications acquired in which one caller is located in the United States;
(2) the number of Internet communications acquired through upstream collection that originate or terminate in the United States;
(3) the number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work;
(4) the number of queries performed that employ U.S. person identifiers, specifically distinguishing the number of such queries that include names, titles, or other identifiers potentially associated with individuals; and
(5) the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals (p. 151).
(Oddly, it is unclear from the text of the report whether the Board believes the CIA and FBI, as well as the NSA, should be required to count the number of U.S. person back door searches they perform each year). PCLOB acknowledges that its proposed metrics will not “reveal the number of communication obtained under PRISM collection, which accounts for the vast majority of Internet acquisitions” under section 702 (p. 152).
The Board recommends that the NSA provide these numbers to Congress. However, it recommends that they be publicly released only “to the extent consistent with national security”—an exception that usually swallows the rule when requesting transparency from the intelligence community.