PCLOB Report: We Don’t Know How Many Americans’ Emails the NSA Collects Under Section 702—But We Don’t Need to Know

The following is cross-posted from The Classified Section, OpenTheGovernment.org’s new blog on national security secrecy.

The Privacy and Civil Liberties officially released its long-awaited report into Section 702 of FISA yesterday. It has been widely and deservedly panned by civil libertarians: the ACLU, EFF, Center for Democracy and Technology, the Open Technology Institute, the Center for Constitutional Rights, the Constitution Project, Amie Stepanovich, Jennifer Granick, Marcy Wheeler, Liza Goitein, Geoffrey Stone, and more.

From a transparency point of view, the report does provide some new, useful details about how 702 surveillance works–but it leaves crucial questions unanswered, and many of them will remain unanswered even if the government adopts PCLOB’s transparency recommendations.

1. “About” collection does not involve keyword searches of Americans’ emails, but it’s unclear exactly what it does involve

On Monday I discussed “about” collection under section 702, and the possibility that Americans’ communications could end up in the NSA databases for merely sending an email about a surveillance target. The PCLOB report says these fears are based on a misunderstanding of how “about” collection works, and that “selectors may not be key words (such as “bomb” or “attack”), or the names of targeted individuals (“Osama Bin Laden”)” (PDF p. 38; all page number cites for the PCLOB report refer to the page number of the PDF). Rather, selectors are “communications facilities” or “communications identifiers”–“things like phone numbers or emails” (pp. 38, 128).

As Jennifer Granick notes, how reassuring this is depends on the range of possible selectors, a question the PCLOB report does not answer:

“Communications facilities” or “communications identifiers” are undefined terms. Using the mild examples of an email address or phone number doesn’t tell the public how broad a facility can be monitored, or give us an idea how much innocent or constitutionally protected information NSA collects.

Granick raises the possibility that “communications facilities” and “communications identifiers” might include a website URL. If so, Americans’ emails might not be intercepted for sending or receiving emails using the keyword “Julian Assange,” but they might still be intercepted for including a link to a Wikileaks document.

2. The FBI and CIA can access and search the NSA’s raw PRISM data with very few restrictions—and PCLOB does not recommend many changes to this   

One of the PCLOB report’s most useful, and most alarming revelations is how few limits there are on the CIA’s and FBI’s use of section 702 data, particularly data collected under the PRISM program. The report discloses that:

• “a copy of the raw data acquired via PRISM collection — and, to date, only PRISM collection — may also be sent to the CIA and/or FBI” (p. 39) but “neither agency receives all PRISM data acquired by the NSA” (p. 59).
• “the CIA and FBI have processes to nominate” targets to the NSA under section 702 although the NSA makes the ultimate targeting decision (p. 52).
• “NSA, CIA, and FBI’s Section 702 minimization procedures all permit these agencies to query unminimized Section 702–acquired information” (p. 60).
• The CIA’s “minimization procedures” require that queries on unminimized content, including queries on U.S. persons, be “reasonably designed to find and extract foreign intelligence information” and that a record be kept of those queries (p. 62). Queries do not need to be pre-approved, however (p. 62).
• “In 2013, the CIA conducted approximately 1,900 content queries using U.S. person identifiers,” using approximately 1400 unique identifiers (p. 63).
• “CIA minimization procedures do not contain a standard for conducting metadata queries,” including queries of U.S. identifiers. FISA and CIA procedures do forbid certain forbidden purposes “such as trying to find information about a love interest.” (p. 63).
• “The CIA does not track how many metadata-only queries using U.S. person identities have been conducted,” or keep other records on such queries (p. 63).
• The FBI can query 702 data for Americans’ information “to find and extract” both “foreign intelligence information” and “evidence of a crime” (p. 63).
• The FBI’s minimization procedures require investigators to “maintain records of all terms used to query content. These records identify the agent or analyst who conducted the query, but do not identify whether the query terms are U.S. person identifiers” (p. 64). In practice the FBI also records metadata queries, since they are conducted in the same databases (p. 64).
• The FBI does not track the number of U.S. person queries it conducts of 702 data, but that number is “substantial” for two reasons. First, the FBI keeps 702 data in the same databases as other FISA data, which can target U.S. persons (p.64).  Second,

whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts (p. 64).

FISA’s definition of “foreign intelligence information” is quite broad. It includes not only information about terrorism, proliferation of weapons of mass destruction, or potential attacks and “clandestine intelligence activities” by a foreign power, but also information that the intelligence community regards (for foreigners) as relevant to or (for Americans) necessary to “the national defense or the security of the United States” or “the conduct of the foreign affairs of the United States.”  So the PCLOB’s recommendation that agencies be required to provide a written record of why a query is likely to generate “foreign intelligence information” may not provide much substantive protection, even if adopted—though it would be an improvement over the current situation where the CIA can conduct standard-less backdoor metadata searches with no paper trail.

3. We have no idea how many Americans’ communications are intercepted under section 702—and PCLOB does not suggest requiring the government to tell us

How much information any NSA, FBI, or CIA “back door” search turns up on Americans depends on how many Americans’ communications the NSA obtains under section 702. PCLOB’s report acknowledges that neither the Board, nor Congress, nor the Executive Branch knows how many Americans’ information is being collected.

Section 702 enables collection of huge quantities of data on non-U.S. citizens, without any requirement that they be involved in terrorism, agents of a foreign power, or involved in any activity that threatens the United States in any way. A recent Washington Post report on leaked NSA documents demonstrates the breadth of authorized surveillance. The documents show that in 2010, the government requested, and the Foreign Intelligence Surveillance Court granted, authority to target people likely to possess, receive, or communicate information about the activities of 193 countries—many of them U.S. allies—as well as the United Nations, European Union, and many other international organizations.  

In 2013, the Report notes, the United States collected information on approximately 89,138 “targets” under section 702 (p. 118). Some targets are individuals, but others are not. According to PCLOB, a foreign government or international terrorist group could qualify as a ‘person’ for purposes of targeting under section 702 (p. 126). By 2011,

the government was annually acquiring over 250 million Internet communications, in addition to telephone conversations. The current number is significantly higher. Even if U.S. persons’ communications make up only a small percentage of this total, the absolute number of their communications acquired could be considerable (p. 121).

PCLOB notes that the scale of “incidental collection” on Americans under 702 “could push the entire program close to the line of constitutional reasonableness,” (p. 14) and “lawmakers and the public do not have even a rough estimate of how many communications of U.S. persons are acquired under Section 702” (p. 152).  But it does not suggest that the government be required to provide even a rough estimate. Instead, to provide a “snapshot” of the scope of incidental collection, PCLOB recommends that the NSA annually count the following:

(1) the number of telephone communications acquired in which one caller is located in the United States;

(2) the number of Internet communications acquired through upstream collection that originate or terminate in the United States; 

(3) the number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work;

(4) the number of queries performed that employ U.S. person identifiers, specifically distinguishing the number of such queries that include names, titles, or other identifiers potentially associated with individuals; and

(5) the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals (p. 151). 

(Oddly, it is unclear from the text of the report whether the Board believes the CIA and FBI, as well as the NSA, should be required to count the number of U.S. person back door searches they perform each year). PCLOB acknowledges that its proposed metrics will not “reveal the number of communication obtained under PRISM collection, which accounts for the vast majority of Internet acquisitions” under section 702 (p. 152).

The Board recommends that the NSA provide these numbers to Congress.  However, it recommends that they be publicly released only “to the extent consistent with national security”—an exception that usually swallows the rule when requesting transparency from the intelligence community.