Professional Documents
Culture Documents
Edward Snowden's disclosures have thus far centered on two NSA programs. One is
domestic - the so-called metadata program, operated pursuant to section 215 of the
USA PATRIOT Act, n13 and entailing the bulk collection of call record information,
including phone numbers and times of calls. n14 The other is foreign - the PRISM
program, operated pursuant to section 702 of the Foreign Intelligence Surveillance
Act (FISA). n15 Under section 702, the government may conduct surveillance
targeting the contents of communications of non-U.S. persons reasonably believed
to be located abroad when the surveillance will result in acquiring foreign
intelligence information. n16 The FISC must approve any government request for
surveillance under section 702, although these requests can [*2141] describe
broad types of communications without identifying particular individuals. n17
Under section 702, "foreign intelligence information" that the government may
acquire includes a number of grounds related to national security, such as
information relating to an "actual or potential attack" or "other grave hostile acts of
a foreign power or an agent of a foreign power." n18 It also includes information
relating to possible sabotage n19 and clandestine foreign "intelligence activities."
n20 Another prong of the definition appears to sweep more broadly, including
information relating to "the conduct of the foreign affairs of the United States." n21
Despite the greater breadth of this provision, President Obama informed a domestic
and global audience that U.S. intelligence agencies seek a narrow range of
information centering on the national security and foreign intelligence concerns
described above. n22 While the U.S. intelligence agencies acquire a substantial
amount of data that does not fit under these rubrics, the president's speech
confirmed that U.S. analysts do not rummage through such data randomly or for
invidious purposes. n23 A scatter-shot approach of this kind would be unethical,
illegal, and ineffective. Instead, NSA officials query communications using specific
"identifiers" such as phone numbers and email addresses that officials reasonably
believe are used by non-U.S. persons abroad to communicate foreign intelligence
information. n24 The government must also have in place minimization procedures
to limit the acquisition, retention, and dissemination of nonpublic information about
U.S. persons. n25 The NSA deletes all irrelevant content, including content from
non-U.S. persons, after five years. n26
In acknowledging the "legitimate privacy interests" of both U.S. and non-U.S.
persons, President Obama affirmed the U.S. commitment to core principles in
January 2014. n27 First, he narrowed the operating definition of [*2142] foreign
intelligence information, limiting it to "information relating to the capabilities,
intentions, or activities of foreign governments or elements thereof, foreign
organizations, foreign persons, or international terrorists." n28 In addition, he
asserted that the NSA would engage in bulk collection of communications for
purposes of "detecting and countering" terrorism, espionage, nuclear proliferation,
threats to U.S. forces, and financial crimes, including evasion of duly enacted
sanctions. n29 Addressing anticipated concerns that these limits still left the NSA
with too much discretion, President Obama declared what the United States would
not do. First, it would not collect communications content "for the purpose of
suppressing or burdening criticism or dissent, or for disadvantaging persons based
on their ethnicity, race, gender, sexual orientation, or religion." n30 Second, it
would disseminate and store information regarding any person based on criteria in
section 2.3 of Executive Order 12,333 n31: cases involving "foreign intelligence or
counterintelligence," public safety, or ascertainment of a potential intelligence
source's credibility. n32
Of course, President Obama's speech did not quell the complaints of NSA critics.
One could argue that even the description the president provided has legal flaws
under domestic and/or international law. One can also argue that the president's
policy directive, statutory provisions, and case law cannot wholly eliminate the
possibility of systemic or individual abuse of NSA authority. That said, there are
compelling reasons for treating the president's speech and directive as an
authoritative and binding statement of U.S. policy. The most compelling reason
may be the simplest: no American president has ever been so forthright on the
subject of intelligence collection, and few heads of state around the globe have
ventured down the path that President Obama chose. n33 That alone counsels
treating President Obama's guidance as more than "cheap talk."
There is no doubt the Snowden disclosures have launched a debate that raises
significant issues regarding the extent of U.S. government national security
surveillance authorities and activities. And Julian Sanchezs essay Snowden: Year
One raises a number of these issues, including whether the surveillance is too
broad, with too few limits and too little oversight. But an overarching theme of
Sanchezs essay is fear and fear of what might be overshadows what actually is,
or is even likely. Indeed, he suggests that by just tweaking a few lines of code the
NSAs significant capabilities could be misdirected from targeting valid
counterterrorism suspects to Americans involved in the Tea Party or Occupy
movements.
So really, what would it take to turn NSAs capabilities inward, to the dark corner of
monitoring political activity and dissent? It turns out, quite a lot. So much, in fact,
that after a considered review of the checks and balances in place, it may turn out
to be not worth fearing much at all.
First, a little history. Prior to 1978, NSA conducted surveillance activities for foreign
intelligence purposes under Executive authority alone. In 1978, Congress passed
the Foreign Intelligence Surveillance Act (FISA), which distinguished between
surveillance that occurred here at home and that which occurred overseas. FISA
requires that when electronic surveillance is conducted inside the United States, the
government seek an order from the Foreign Intelligence Surveillance Court (FISC or
the Court) based on probable cause. So, if the government wants to conduct
surveillance targeting a foreign agent or foreign power here in the United States, it
must obtain FISC approval to do so. By law, the Court may not issue an order
targeting an American based solely on activities protected by the First Amendment
to the Constitution. The Attorney General is required to report on the full range of
activities that take place under FISA to four congressional committees: both the
intelligence and judiciary committees in Congress. The law requires that the
committees be fully informed twice each year.
There have been a number of amendments to FISA over the years. In 1994, the
statute was amended to require that physical searches for national security
purposes conducted inside the United States also happen by an order from the FISC.
The USA-PATRIOT Act of 2001 amended several provisions of FISA, one of which
enabled better sharing of information between terrorism and criminal investigators.
And in 2008, FISA was amended to provide a statutory framework for certain
approvals by the Attorney General, Director of National Intelligence, and FISC
regarding the targeting of non-U.S. persons reasonably believed to be outside the
United States for foreign intelligence purposes, when the cooperation of a U.S.
communications service provider is needed.
So how do we know that this system of approvals is followed? Is the oversight over
NSAs activities meaningful, or decorative, as Sanchez suggests?
It is worth exploring. Here is how oversight of the Section 702 surveillance works, as
one example, since it has been the subject of a significant part of the debate of the
past year. Section 702 was added to FISA by the FISA Amendments Act of 2008. It
authorizes the NSA to acquire the communications, for foreign intelligence
purposes, of non-U.S. persons reasonably believed to be outside the United States.
These are persons with no Constitutional protections, and yet, because the
acquisition requires the assistance of a U.S. electronic communications provider,
there is an extensive approval and oversight process. There is a statutory
framework. Specifically, the Attorney General and Director of National Intelligence
jointly approve certifications. According to declassified documents, the certifications
are topical, meaning, the way the statute is being implemented, the certifications
are not so specific that they identify individual targets; but they are not so broad
that they cover any and everything that might be foreign intelligence information.
The certifications are filed with the FISC, along with targeting and minimization
procedures. Targeting procedures are the rules by which NSA selects valid foreign
intelligence targets for collection. Minimization procedures are rules by which NSA
handles information concerning U.S. persons. The FISC has to approve these
procedures. If it does not approve them, the government has to fix them. The Court
reviews these procedures and processes annually. The Court can request a hearing
with government witnesses (like senior intelligence officials, even the NSA Director,
if the judge wanted or needed to hear from him personally) or additional information
in order to aid in its decisionmaking process. Information about the 702
certifications is reported to the Congressional intelligence committees.
Once the certifications are in effect, attorneys from the Department of Justices
(DOJ) National Security Division and attorneys and civil liberties officials from the
Office of the Director of National Intelligence (ODNI) review the NSAs targeting
decisions and compliance with the rules. They conduct reviews at least every 90
days. During that 90-day period, oversight personnel are in contact with NSA
operational and compliance personnel. Compliance incidents can be discovered in
one of at least two ways: the NSA can self-report them, which it does; or the DOJ
and ODNI oversight personnel may discover them on their own. Sometimes the
NSA does not report a compliance incident in the required timeframe. Then the time
lag in reporting may become an additional compliance incident. The DOJ and ODNI
compliance teams write up semi-annual reports describing the results of their
reviews. The reports are approved by the Attorney General and Director of National
Intelligence and provided to the FISC and to Congress. According to the one report
that has been declassified so far, in August 2013, for a six-month period in 2012,
the rate of error for the NSAs compliance under Section 702 collection was .49% less than half of one percent. If we subtract the compliance incidents that were
actually delays in reporting, then the noncompliance rate falls to between .15-.25%
- less than one quarter of one percent. Hardly an agency run amok.
The protection most of us enjoy under PRISM may be more practical than legal. The
amount of data that can be collected limits the reach of the program. Not only is
capturing too much information from innocent Americans a waste of resources, but
also suspicious communications can be lost in a forest of irrelevant data. The NSA
thus has powerful reasons to limit impermissible observations, at least where there
is no good reason to suspect Americans of terrorist involvements. Still we lack two
bits of information important in assessing this program. One is the fate of
information pertaining to Americans who should not have been observed in the first
place. If this information is purged from all databases except perhaps when the
person is dangerous, erroneous capture is less of a concern than it otherwise would
be. Second, we dont know how monitoring targets are determined or the number of
targets selected. To the extent that individuals, organizations and sites are targeted
based on target-specific concerns about the threats they pose, the net cast is likely
to be narrow, and even if the reasons for targeting do not rise to the level of legally
cognizable probable cause, they tend in this direction. But if targets are selected
based on the impersonal outputs of other data mining efforts like the telephone
records that feed Boundless Informant, all bets are off. Depending on the algorithms
used and the degree to which they have been empirically validated, the net could
be wide or narrow, and the likelihood that a target would be involved in terrorism or
that citizens would be swept into the net may be great or small. Congress in
overseeing PRISM should demand this information if it is not already provided.
It is easy to be cynical about government and the respect that agencies show for
the laws under which they operate. Cynicism is fed by occasional scandals and by
the more frequent pseudo-scandals which make it appear that within the Beltway
things are out of control. Having spent four years as a Division Director at the
National Science Foundation and three years as Chief Scientist in the Human
Factors/ Behavioral Science Division of DHSs Science and Technology Directorate, I
am not cynical. Time and again I have seen government employees seek to follow
the law even when it seems silly and interferes with their mission. When I joined
DHS I was most surprised by the fierceness of efforts to comply with the U.S. Privacy
Act. At times interpretations of what the Act protected were so broad as to border
on the ridiculous, and costs were real: research projects with national security
implications were delayed, redesigned or even precluded because privacy officers,
sometimes with little basis in the statute, felt there was a risk that personally
identifiable information (PII) would be impermissibly collected. The absence of any
reason to fear revelation or misuse made no difference. The strict scrutiny applied
to research that might involve PII is, to be sure, relaxed in front line operational
settings like PRISM and legal restrictions may differ, but my experience in two
agencies as well as conversations with people in the intelligence community (IC)
lead me to believe that it is a mistake to regard as a sham the legal restrictions on
PRISM or other IC data mining and surveillance activities.
Through its PRISM and Boundless Informant efforts, NSA is working to protect the
nation, apparently with some success. The 99.9% of us who pose no threat of
terrorism and do not inadvertently consort with possible terrorists should not worry
that the government will track our phone or internet exchanges or that our privacy
will be otherwise infringed.
Economy answers
Its been two years since Edward Snowden leaked details of the NSAs PRISM
surveillance program, and although analysts predicted an exodus from US-based
cloud and hosting services in response to the revelations, it hasnt exactly worked
out that way, a new report finds.
Forrester released a new report last week that suggests concerns around
international customers severing ties with US-based hosting and cloud companies
were overblown.
Lost revenue from spending on cloud services and platforms comes to just over
$500 million between 2014 and 2016. While significant, these impacts are far less
than speculated, as more companies reported taking control of security and
encryption instead of walking away from US providers, Forresters principal analyst
serving security and risk professionals Edward Ferrara said in a blog post.
Snowden recently told a crowd of cloud and hosting providers that use of encryption
is growing, and encrypted traffic has doubled since 2013.
In 2013, Forrester predicted that US cloud providers cloud lose up to $180 billion in
business by 2016 due to concerns around the scope of NSAs PRISM program.
According to NextGov, Forrester finds that 26 percent of enterprises based in Asia
Pacific, Canada, Europe and Latin America have stopped or reduced their spending
with US-based firms for Internet-based services. Thirty-four percent said these
concerns were related to fears of US surveillance, while others said they want to
support businesses in their own country, or data sovereignty rules prevent them
from storing data abroad.
Forrester surveyed more than 3,000 businesses between June and July 2014.
More than half of respondents said that they did not trust US-based outsourcers to
handle sensitive information, with only 8 percent reporting to trust their companys
intellectual property with a US-based outsourced company.
Ninety-percent of decision-makers have taken steps to encrypt their data, according
to the report.
When Edward Snowden revealed the extent of the U.S. National Security Agencys
PRISM spying program, there were concerns that American cloud, hosting and
outsourcing businesses would lose customers running to non-U.S.-based companies
safe from NSAs prying eyes.
The assertion was that this would be a death blow to U.S. firms trying to operating
in Europe and Asia, said Forrester Research analyst Ed Ferrara.
But two recent reports from Forrester find it was less catastrophic than expected.
Thats good news for companies like Box (BOX), DropBox and others that make their
money by selling U.S.-based data storage.
Forrester had originally predicted U.S. companies could lose as much as $180 billion
in sales.
Instead, just 29% of technology decision-makers in Asia, Canada, Europe and Latin
America halted or reduced spending with U.S.-based firms offering Internet-based
services due to the PRISM scandal, Forresters Business Technographics Global
Infrastructure Survey for 2014 found
Its a relatively small amount of data, Ferrara said.
Thats because most of the companies didnt need to move all their data, much of
which was stored in-house. Instead, only 33% of the data held by that 29% of
companies was at a third-party data center or in a cloud system.
Forrester believes the overall loss to U.S. cloud providers for 2015 will be about $15
billion and in 2016, $12 billion, a far cry from projections that were ten times that a
year ago.
Forrester also found that companies are looking at other ways to protect the
integrity of their data, not just from the NSA but also from surveillance by other
nations.
Chief among them was encryption. Eighty-four percent of the companies said
theyre using various encryption methods to protect sensitive material.
The surveys definition of cloud providers is broad, and includes both platform as a
service, infrastructure as a service and software as a service companies, said
Ferrara.
Solvency answers
Solvency 1nc
Modeling is empirically false
Edgar, 4/13/15 - visiting fellow at the Institute and adjunct professor of law at the
Georgetown University Law Center (Timothy, The Good News About Spying
https://www.foreignaffairs.com/articles/united-states/2015-04-13/good-news-aboutspying
Despite high hopes for a fresh start on civil liberties, during his first term in office,
Obama ratified and even expanded the surveillance programs that began under
former President George W. Bush. After NSA contractor Edward Snowden began
revealing the agencys spying programs to The Guardian in 2013, however, Obama
responded with a clear change of direction. Without great fanfare, his administration
has made changes that open up the practices of the United States intelligence
community and protect privacy in the United States and beyond. The last year and
a half has been the most significant period of reform for national security
surveillance since Senator Frank Church led the charge against domestic spying in
the late 1970s.
In 2013, at Obamas direction, the Office of the Director of National Intelligence
(ODNI) established a website for the intelligence community, IC on the Record,
where previously secret documents are posted for all to see. These are not decadesold files about Cold War spying, but recent slides used at recent NSA training
sessions, accounts of illegal wiretapping after the 9/11 attacks, and what had been
highly classified opinions issued by the Foreign Intelligence Surveillance Court about
ongoing surveillance programs.
Although many assume that all public knowledge of NSA spying programs came
from Snowdens leaks, many of the revelations in fact came from IC on the Record,
including mistakes that led to the unconstitutional collection of U.S. citizens emails.
Documents released though this portal total more than 4,500 pagessurpassing
even the 3,710 pages collected and leaked by Snowden. The Obama administration
has instituted other mechanisms, such as an annual surveillance transparency
report, that will continue to provide fodder for journalists, privacy activists, and
researchers.
The transparency reforms may seem trivial to some. From the perspective of an
intelligence community steeped in the need to protect sources and methods,
however, they are deeply unsettling. At a Brown University forum, ODNI Civil
Liberties Protection Officer Alexander Joel said, The intelligence community is not
designed and built for transparency. Our culture is around finding our adversaries
secrets and keeping our own secrets secret. Accordingly, until only a few years
ago, the intelligence community resisted making even the most basic information
public. The number of FISA court opinions released to the public between 1978 and
2013 can be counted on one hand.
Beyond more transparency, Obama has also changed the rules for surveillance of
foreigners. Until last year, privacy rules applied only to U.S. persons. But in
January 2014, Obama issued Presidential Policy Directive 28 (PPD-28), ordering
intelligence agencies to write detailed rules assuring that privacy protections would
apply regardless of nationality. These rules, which came out in January 2015, mark
the first set of guidelines for intelligence agencies ordered by a U.S. presidentor
any world leaderthat explicitly protect foreign citizens personal information in
the course of intelligence operations. Under the directive, the NSA can keep
personal information in its databases for no more than five years. It must delete
personal information from the intelligence reports it provides its customers unless
that persons identity is necessary to understand foreign intelligencea basic rule
once reserved only for Americans.
The new rules also include restrictions on bulk collection of signals intelligence
worldwidethe practice critics call mass surveillance. The NSAs bulk collection
programs may no longer be used for uncovering all types of diplomatic secrets, but
will now be limited to six specific categories of serious national security threats.
Finally, agencies are no longer allowed simply to collect it all. Under PPD-28, the
NSA and other agencies may collect signals intelligence only after weighing the
benefits against the risks to privacy or civil liberties, and they must now consider
the privacy of everyone, not just U.S. citizens. This is the first time any U.S.
government official will be able to cite a written presidential directive to object to an
intelligence program on the basis that the intelligence it produces is not worth the
costs to privacy of innocent foreign citizens.
THOSE IN GLASS HOUSES
Obamas reforms make great strides toward transparency and protecting civil
liberties, but they have been neither celebrated nor matched abroad. When
Chancellor Angela Merkel of Germany found out she had been the target of
American eavesdropping, her reaction was swift. This is not done, she said, as if
scolding a naughty child. Many Germans cheered. They and other Europeans
believe that their laws protect privacy better than U.S. laws. But that is only partly
true: Although Europe has stronger regulations limiting what private companies
(such as Google and Facebook) can do with personal data, citizens are granted
comparatively little protection against surveillance by government agencies.
European human rights law requires no court approval for intelligence surveillance
of domestic targets, as U.S. law has since 1978. Similarly, European governments
do not observe limits on electronic surveillance of non-citizens outside of their own
territories, as the United States now does under Obamas presidential policy
directive.
By blaming only the NSA for mass surveillance, the public and foreign leaders let
other intelligence services off the hook. No wonder that some human rights
organizations, including Privacy International and Big Brother Watch UK, have filed
legal challenges against mass surveillance by the NSAs British counterpart, the
Government Communications Headquarters (GCHQ). But foreign leaders have taken
few steps to limit government surveillance, and none have done anything
remotely comparable to what Obama did in last years directive.
Circumvention inevitable
Redmond, 14 J.D. Candidate, 2015, Fordham University School of Law (Valerie, I
Spy with My Not So Little Eye: A Comparison of Surveillance Law in the United
States and New Zealand FORDHAM INTERNATIONAL LAW JOURNAL [Vol. 37:733
In the United States, the current state of surveillance law is a product of FISA, its
amendments, and its strictures. An evaluation of US surveillance law proves that
inherent loopholes undercut FISAs protections, which allows the US Government to
circumvent privacy protections.182 The main problems are the insufficient
definition of surveillance, the ability to spy on agents of foreign powers, the lack
of protection against third party surveillance, and the ability to collect incidental
information.183
First, a significant loophole arises in the interpretation of the term
surveillance.184 In order for information collection to be regulated by FISA, it
must fall under FISAs definition of surveillance.185 This definition does not apply to
certain National Security Letters, which are secret authorizations for the Federal
Bureau of Investigation (FBI) to obtain records from telephone companies, credit
agencies, and other organizations if they merely certify that the information is
relevant to an international terrorism investigation.186 National Security Letters are
regularly used to circumvent FISAs warrant procedures.187
Additionally, FISAs definition of surveillance is antiquated because it distinguishes
between data acquired inside of the United States and outside of the United
States.188 This distinction allows the NSA to process surveillance that is received
from other countries irrespective of whether the target is a US citizen.189 Therefore,
the NSA is unrestrained when a communication is not physically intercepted within
the United States.190
Second, an issue arises when US citizens are construed to be agents of foreign
powers under FISA because a warrant can be issued to engage in surveillance
against them.191 According to FISAs procedures, the only way to spy on a US
citizen is when they can be considered to be an agent of a foreign power, or
engaged in information gathering, aiding, or abetting a foreign power.192 However,
this limitation does not result in total privacy protection because it only requires
probable cause that a person is an agent of a foreign power, not that a crime is
being committed.193 The effect of this ability is that the US Government can
conduct surveillance on a US citizen with no ties to terrorism such as a suburban
mother telling her friend that her son bombed a school play.194
Furthermore, FISA is limited to protecting against surveillance by the US
Government; it does not create a reasonable expectation of privacy for individuals
from surveillance by a third party.195 This rule is exploited by the United States
participation in Echelon.196 Because US law generally does not regulate
information sharing, the United States essentially violates the privacy rights of US
citizens by accepting information from foreign intelligence agencies about potential
threats involving US citizens.197 Thus, the lack of privacy rights when US citizens
are spied on by agencies outside of the United States creates a loophole for spying
on US citizens without the government restrictions created by existing law.198
Lastly, US law allows for the collection of incidental information.199 It is predicted
that Echelon collects nearly all communications, many of which can be considered
incidental.200 Therefore, the fact that FISA allows for the collection of incidental
information suggests that privacy rights can be violated by its involvement in
Echelon.201
The U.S. government has already taken some limited steps to mitigate this damage
and begin the slow, difficult process of rebuilding trust in the United States as a
responsible steward of the Internet. But the reform efforts to date have been
relatively narrow, focusing primarily on the surveillance programs impact on the
rights of U.S. citizens. Based on our findings, we recommend that the U.S.
government take the following steps to address the broader concern that the NSAs
programs are impacting our economy, our foreign relations, and our cybersecurity:
1. Strengthen privacy protections for both Americans and non-Americans, within
the United States and extraterritorially.
2. Provide for increased transparency around government surveillance, both from
the government and companies.
3. Recommit to the Internet Freedom agenda in a way that directly addresses issues
raised by NSA surveillance, including moving toward international human-rights
based standards on surveillance.
4. Begin the process of restoring trust in cryptography standards through the
National Institute of Standards and Technology.
5. Ensure that the U.S. government does not undermine cybersecurity by inserting
surveillance backdoors into hardware or software products.
6. Help to eliminate security vulnerabilities in software, rather than stockpile them.
7. Develop clear policies about whether, when, and under what legal standards it is
permissible for the government to secretly install malware on a computer or in a
network.
8. Separate the offensive and defensive functions of the NSA in order to minimize
conflicts of interest.
First, the United States, like many countries, concentrates much of its
surveillance efforts abroad. Indeed, the Foreign Intelligence Surveillance Act is
focused on gathering information overseas, limiting data gathering largely only
when it implicates U.S. persons. n174 The recent NSA surveillance disclosures have
revealed extensive foreign operations. n175 Indeed, constraints on domestic
operations may well have spurred the NSA to expand operations abroad. As
the Washington Post reports, "Intercepting communications overseas has clear
advantages for the NSA, with looser restrictions and less oversight." n176 Deterred
by a 2011 ruling by the Foreign Intelligence Surveillance Court barring certain broad
domestic surveillance of Internet and telephone traffic, n177 the NSA may have
increasingly turned its attention overseas.
With GCHQ in mind, it is worth noting an additional exception to both FISA and
Executive Order 12,333: to the extent that it is not the United States engaged in the
collection of information, but, rather, one of our allies, rules that otherwise limit
the U.S. intelligence community may not apply. From the language of the
order, it appears that the United States may receive or benefit from other countries'
collection of information on U.S. citizens, where it does not actively participate in
the collection or specifically request other countries to carry out the collection at its
behest. n142 In turn, the United States can provide information about foreign
citizens to their governments that their intelligence agencies, under their domestic
laws, might otherwise be unable to collect. To the extent that the programs
underway are extended to the closely allied "Five Eyes" (Australia, Canada, the
United Kingdom, the United States, and New Zealand), structural demarcations
offer a way around the legal restrictions otherwise enacted to protect citizen
rights in each region.
The government can obtain second-hand data from private parties in a variety of
ways. First, the government can simply ask for it. According to Google, nearly 1% of
requests for its user data from law enforcement are emergency requests. n185 A bill
that has been proposed in Congress, called the Cyber Intelligence Sharing and
Protection Act ("CISPA"), might dramatically increase this percentage. CISPA would
make it legal for the government to ask companies for data about their customers
and then protect those companies from lawsuits related to the handing over of that
data, "notwithstanding any other provision of law." n186
Second, the government can demand the data with a subpoena. A subpoena need
not be reviewed or pre-approved by a court to be valid and enforceable. n187
Google says that 68% of its data requests from the government are in the form of a
subpoena. n188 Subpoenas can request any information or documents that are at
all relevant to an investigation. Relevance is defined very broadly and includes any
information or documents that "might have the potential to lead to relevant
information." n189 So long as a subpoena meets this very lenient standard, a court
will deem the subpoena valid to the extent that the subpoena's demands are not
overbroad or unduly burdensome. n190
Third, the government can demand the information with a court order, which, by
definition, does require prior approval by a [*411] court. n191 Google says that
22% of its requests for data by the government are from warrants, and another 6%
are from court orders. n192 The NSA collects much of its data by using secret FISA
court orders, collecting huge sums of data from U.S. telephone companies, including
AT&T, Verizon, and Sprint, and Internet service-providers like Facebook, Apple,
Google, Microsoft, Yahoo, and AOL. n193 Statutes regulate these data-collection
efforts. n194
Fourth, the government can purchase the information. Big Data is valuable and
companies are willing to sell. n195 For the right price, [*412] government can
access the same rich data-troves held by private organizations. For example, the
federal government recently started buying access to a private database
maintained by the credit bureau Equifax, called "The Work Numbers." n196 The
database contains 54 million active salary and employment records and more than
175 million historical records from approximately 2,500 U.S. employers. n197
Equifax also sells this same data to credit card issuers, property managers, and auto
lenders. n198
Finally, the government can intercept the data using wiretaps, bugs, and Trojan
horses among many other available tools. The NSA collects much of its data by
Rather than focus on section 215, I want to focus in this post on the bills proposed
reforms to section 702 of the FISA Amendments Act, or FAA. This is the provision
underlying the PRISM programand its use to obtain the content of phone calls and
Internet messages, which Glenn Greenwald revealed based on Edward Snowdens
documentation. Theres been less discussion of the problems with section 702 than
of those with section 215, even as weve learned some worrisome things about the
way the NSA uses this legal authority. The new bill would address some, but by no
means all, of these problems. In my opinion, it needs to be broader.
I. Bacgkround
First, some legal and technological background is in order. Traditional FISA required
the government to show probable cause that the target of the underlying foreign
intelligence surveillance was an agent of a foreign power and would use the
facilities at which the government planned to direct surveillance before conducting
electronic surveillance. This probable cause requirement had the practical effect of
limiting surveillance to communications to or from individuals who are reasonably
believed to be working for another government or a terrorist group.
In addition to the expansions created in 2001 by the USA PATRIOT Act (including
section 215), section 702 of the FAA created a new source of authority for
Prohibit the government from collecting communications that are about the
target, in non-terrorism contexts;
Strengthen the prohibition against reverse targeting, or targeting a foreigner in
order to warrantlessly acquire the communications of an American who is known to
be communicating with that foreigner; and
Place stronger statutory limits on the use of unlawfully collected information.
These are critical reforms. I would like to see the bill further include a higher
standard of care with regards to ensuring that people inside the U.S. are not
targeted. As Professor Christopher Sprigman and I argued in the New York Times,
PRISM is designed to produce at least 51 percent confidence in a targets
foreignness as John Oliver of The Daily Show put it, a coin flip plus 1
percent. In other words, 49 percent of the time the NSA may be acquiring
information it is not allowed to have, even under the terrifyingly broad auspices of
the FAA.
More fundamentally, though, the Wyden/Udall bill does not fully address a
fundamental problem with the FAA, which is that it authorizes surveillance of
average citizens of other countries for reasons that are not necessarily related to
the security of the United States. Senator Udall acknowledged in the press
conference announcing the bill (at 30:17) that the NSAs unfettered spying has had
and will continue to have an adverse economic effect on U.S.-based businesses, and
that this is one of the motivations behind the bill.
Prohibiting about the target collection is one giant step forward. That would mean
that non-targets outside the U.S. could not be subject to surveillance under this law
just because they talk about a target, unless their conversation is related to
terrorism. Depending on the details of the targeting and minimization procedures, if
my British friend in London and I email about our dismay over the Kenya attacks,
that would be fair game, but our conversation about the policies of Brazilian
President Dilma Roussef would be off limits.
However, targets still need not be agents of foreign powers so long as a significant
purpose of the collection is foreign intelligence. Foreign intelligence is broad, and
includes any information that relates to the conduct of U.S. foreign affairs. For
example, DNI James Clapper affirmed that the U.S. collects information about
economic and financial matters to provide the United States and our allies early
warning of international financial crises which could negatively impact the global
economy or to provide insight into other countries economic policy or behavior
which could affect global markets.
Monitoring economic and financial matters is in the United States national interest.
However, routine eavesdropping upon common foreigners to discover information
about these matters is a bad idea. First, foreigners have privacy rights, too. Freedom
from arbitrary interference with ones privacy is part of the Universal Declaration of
Human Rights.
Next, this monitoring is detrimental to U.S. companies and to the United States
long-term interests in promoting democratic ideals. As Sprigman and I argue,
although it may be legal, unfettered U.S. spying on foreigners will cause serious
collateral damage to Americas technology companies, to our Internet-fueled
economy, and to human rights and democracy the world over. Since our Atlantic
article on June 28th, and the disclosure that the NSA targeted both Petrobras and
President Dilma Roussef, Brazil has announced that it will look into requiring
Internet companies to store its citizens data locally, and take other steps that
threaten to balkanize the global Internet. When Brazil takes these steps, it gives
comfort and cover to authoritarian countries who will do the same, so that they can
better censor, spy on, and control Internet access within their own borders.
It appears that little consideration was given over the past decade to the potential
economic repercussions if the NSAs secret programs were revealed.38 This failure
was acutely demonstrated by the Obama Administrations initial focus on reassuring
the public that its programs primarily affect non-Americans, even though nonAmericans are also heavy users of American companies products. Facebook CEO
Mark Zuckerberg put a fine point on the issue, saying that the government blew it
in its response to the scandal. He noted sarcastically: The government response
was, Oh dont worry, were not spying on any Americans. Oh, wonderful: thats
really helpful to companies [like Facebook] trying to serve people around the world,
and thats really going to inspire confidence in American internet companies.39 As
Zuckerbergs comments reflect, certain parts of the American technology industry
are particularly vulnerable to international backlash since growth is heavily
dependent on foreign markets. For example, the U.S. cloud computing industry
has grown from an estimated $46 billion in 2008 to $150 billion in 2014, with nearly
50 percent of worldwide cloud-computing revenues coming from the U.S.40 R Street
Institutes January 2014 policy study concluded that in the next few years, new
products and services that rely on cloud computing will become increasingly
pervasive. Cloud computing is also the root of development for the emerging
generation of Web-based applicationshome security, outpatient care, mobile
payment, distance learning, efficient energy use and driverless cars, writes R
Streets Steven Titch in the study. And it is a research area where the United States
is an undisputed leader.41 This trajectory may be dramatically altered, however, as
a consequence of the NSAs surveillance programs.
When NSA and allied analysts really want to target an account, their concern for
U.S. privacy diminishes. The rationales they use to judge foreignness sometimes
stretch legal rules or well-known technical facts to the breaking point.
In their classified internal communications, colleagues and supervisors often remind
the analysts that PRISM and Upstream collection have a lower threshold for
foreignness standard of proof than a traditional surveillance warrant from a FISA
judge, requiring only a reasonable belief and not probable cause.
One analyst rests her claim that a target is foreign on the fact that his e-mails are
written in a foreign language, a quality shared by tens of millions of Americans.
Others are allowed to presume that anyone on the chat buddy list of a known
foreign national is also foreign.
In many other cases, analysts seek and obtain approval to treat an account as
foreign if someone connects to it from a computer address that seems to be
overseas. The best foreignness explanations have the selector being accessed via
a foreign IP address, an NSA supervisor instructs an allied analyst in Australia.
Apart from the fact that tens of millions of Americans live and travel overseas,
additional millions use simple tools called proxies to redirect their data traffic
around the world, for business or pleasure. World Cup fans this month have been
using a browser extension called Hola to watch live-streamed games that are
unavailable from their own countries. The same trick is routinely used by Americans
who want to watch BBC video. The NSA also relies routinely on locations embedded
in Yahoo tracking cookies, which are widely regarded by online advertisers as
unreliable.
Of course, FAA Exclusivity wouldnt solve every problem. It would not prevent
foreign governments from collecting information themselves and then providing it to
U.S. intelligence agencies, as U.S. law cannot bind a foreign government. And some
may argue that FAA provides inadequate civil liberties protections for Americans.
This proposal says nothing about the adequacy of that statute in this respect. What
it says is that for data held by an American company about a target that is not a
U.S. person, the checks within FAA are stronger than those solely under E.O. 12333.
that the NSA was not supposed to collect (in other words, wholly domestic
communications), this appeared to be precisely what had occurred with regard to
the NSA's upstream collection. n289
In its October 2011 memorandum opinion, the court confronted two areas: first,
targeting procedures as applied to the acquisition of communications other than
Internet transactions -- that is, "discrete communications between or among the
users of telephone and Internet communications facilities that are to or from a
facility tasked for collection." n290 As in the past, the court found the targeting
procedures with regard to non-Internet transactions to be sufficient. Second, the
court considered de novo the sufficiency of the government's targeting procedures
in relation to Internet transactions [*192] transactions. n291 Despite the
acknowledgement by the government that it knowingly collected tens of thousands
of messages of a purely domestic nature, FISC found the procedures consistent with
the statutory language that prohibited the intentional acquisition of domestic
communications. n292
The court's analysis of the targeting procedures focused on upstream collection.
n293 At the time of acquisition, the collection devices lacked the ability to
distinguish "between transactions containing only a single discrete communication
to, from, or about a tasked selector and transactions containing multiple discrete
communications, not all of which may be to, from, or about a tasked selector." n294
The court continued: "As a practical matter, this means that NSA's upstream
collection devices acquire any Internet transaction transiting the device if the
transaction contains a targeted selector anywhere within it." n295 Because of the
enormous volume of communications intercepted, it was impossible to know either
how many wholly domestic communications were thus acquired or the number of
non-target or U.S. persons' communications thereby intercepted. n296 The number
of purely domestic communications alone was in the tens of thousands. n297
Despite this finding, FISC determined that the targeting procedures were consistent
with the statutory requirements that they be "reasonably designed" to (1) "ensure
that any acquisition authorized under [the certifications] is limited to targeting
persons reasonably believed to be located outside the United States" and (2)
"prevent the intentional acquisition of any communication as to which the sender
and all intended recipients are known at the time of the acquisition to be located in
the United States." n298
To reach this conclusion, the court read the statute as applying, in any particular
instance, to communications of individuals "known at the time of acquisition to be
located in the United [*193] States." n299 As the equipment did not have the
ability to distinguish between purely domestic communications and international
communications, the NSA could not technically know, at the time of collection,
where the communicants were located. From this, the court was "inexorably led to
the conclusion that the targeting procedures are 'reasonably designed' to prevent
the intentional acquisition of any communication as to which the sender and all
intended recipients are known at the time of the acquisition to be located in the
United States." n300 This was true despite the fact that the NSA was fully aware
that it was collecting, in the process, tens of thousands of domestic
Ex post CP
1nc ex post CP
Text:
While I have concluded that U.S. surveillance policy does not violate the ICCPR,
further reforms could highlight this point and silence persistent doubts here and
abroad. These reforms could also remove any barriers to cooperation between the
United States and foreign states, such as those in Europe, which are subject to the
European Convention on Human Rights. This section identifies reforms that would
add a public advocate to FISC proceedings, enhance FISC review of the criteria used
for overseas surveillance, establish a U.S. privacy agency that would handle
complaints from individuals here and overseas, and require greater minimization of
non-U.S. person communications. These reforms would signal U.S. support of
evolving global norms of digital privacy.
Although President Obama's speech in January 2014 proposed a panel of
independent lawyers who could participate in important FISC cases, n161 further
institutionalization of this role would be useful. A public advocate would scrutinize
and, when necessary, challenge the NSA's targeting criteria on a regular basis. n162
Challenges would be brought in the FISC, after the NSA's implementation of criteria.
The NSA would be able to adapt the criteria on an exigent basis, subject to ex
post review by the FISC at the public advocate's behest. A public advocate and
enhanced FISC review would serve three valuable functions: (1) ensure that the FISC
received the best arguments on both sides; (2) serve as a valuable ex ante check on
the government, encouraging the government to adopt those criteria that could
The government also claims at least one success from the telephony metadata
program, though it has been coy about the specifics: "The NSA, using the business
record FISA, tipped [the FBI] off that [an] individual had indirect contacts with a
known terrorist overseas. . . . We were able to reopen this investigation, identify
additional individuals through a legal process and were able to disrupt this terrorist
activity." n30 Quite apart from foiling attacks, the government also argues that the
NSA programs can conserve scarce investigative resources by helping officials
quickly spot or rule out any foreign involvement in a domestic plot, as after the
2013 Boston Marathon bombing. n31
These claims have to be taken with a few grains of salt. Some observers believe
that the government could have discovered the plots using standard investigative
techniques, and without resorting to extraordinary methods like programmatic
surveillance. n32 The metadata program has elicited special skepticism: The
President's Review Group on Intelligence and Communications Technologies bluntly
concluded that "the information contributed to terrorist investigations by the use of
section 215 telephony meta-data was not essential to preventing attacks and could
readily have been obtained [*530] in a timely manner using conventional section
215 orders." n33 The Privacy and Civil Liberties Oversight Board reached the same
conclusion. n34 (Judicial opinion is split on the program's value. One judge has
expressed "serious doubts" about its utility, n35 while another has concluded that
its effectiveness "cannot be seriously disputed.") n36 Furthermore, we should
always be cautious when evaluating the merits of classified intelligence initiatives
on the basis of selective and piecemeal revelations, as officials might tailor the
information they release in a bid to shape public opinion. n37 But even if specific
claimed successes remain contested, programmatic surveillance in general can still
be a useful counterterrorism technique.
As these examples imply, effective programmatic surveillance often requires huge
troves of information--e.g., large databases of airline reservations, compilations of
metadata concerning telephonic and internet communications, and so on. This is
why it typically will not be feasible to limit bulk collection to particular, known
individuals who are already suspected of being terrorists or spies. Some officials
have defended the NSA programs by pointing out that, "[i]f you're looking for the
needle in a haystack, you have to have the haystack." n38 That metaphor doesn't
strike me as terribly helpful; rummaging around in a pile of hay is, after all, a
paradigmatic image of futility. But, the idea can be expressed in a more compelling
way. Programmatic surveillance cannot be done in a particularized manner. The
whole point of the technique is to identify unknown threats to the national security;
by definition, it cannot be restricted to threats that have already been identified. We
can't limit programmatic [*531] surveillance to the next Mohamed Atta when we
have no idea who the next Mohamed Atta is--and when the goal of the exercise is
indeed to identify the next Mohamed Atta.
As for the structural considerations, one of the most important is what might be
called an anti-unilateralism principle. A system of programmatic surveillance should
not be put into effect on the say-so of the executive branch, but rather should be a
collaborative effort that involves Congress (in the form of authorizing legislation) or
the judiciary (in the form of FISA court review of the initiatives). n42 An example of
the former is FISA itself, which Congress enacted in 1978. At the time, the NSA was
engaged in bulk collection, without judicial approval, of certain international
communications into and out of the United States--namely, by tapping into offshore
telecommunications cables and by eavesdropping on satellite based radio signals.
FISA's [*533] famously convoluted definition of "electronic surveillance" n43
preserved these preexisting practices even as Congress was imposing a new
requirement of judicial approval for other kinds of monitoring. n44 An example of
the latter concerns the warrantless Terrorist Surveillance Program, under which the
NSA was intercepting, outside the FISA framework, certain communications
between suspected al-Qaeda figures overseas and people located in the United
States. After that program's existence was revealed in late 2005, the executive
branch persuaded the FISA court to issue orders allowing it to proceed subject to
various limits. n45 (That accommodation eventually proved unworkable, and the
executive then worked with Congress to put the program on a more solid legislative
footing through the temporary Protect America Act of 2007 n46 and the permanent
FISA Amendments Act of 2008.) n47
Anti-unilateralism is important for several reasons. To take the most obvious,
Congress and the courts can help prevent executive overreach. n48 The risk of
abuse is lessened if the executive branch must enlist its partners before
commencing a new surveillance initiative. Congress might decline to permit bulk
collection in circumstances where it concludes that ordinary, individualized
monitoring would suffice, or it might authorize programmatic surveillance
subject to various privacy protections. In addition, inviting many voices to the
decision-making table increases the probability of sound outcomes. More
participants with diverse perspectives can also help mitigate the groupthink
tendencies to which the executive branch is sometimes [*534] subject. n49 If we're
going to engage in programmatic surveillance, it should be the result of give and
take among all three branches of the federal government, or at least between its
two political branches, not the result of executive edict.
As for the operational considerations, among the most important is the need for
external checks on programmatic surveillance. In particular, bulk data collection
should have to undergo some form of judicial review, such as by the FISA court, in
which the government demonstrates that it meets the applicable constitutional and
statutory standards. Ideally, the judiciary would give its approval before collection
begins. But this will not always be possible, in which case timely post-collection
judicial review will have to suffice. (FISA has a comparable mechanism for
temporary warrantless surveillance in emergency situations.) n60 Programmatic
surveillance also should be subject to robust congressional oversight. This could
take a variety of forms, including informal consultations with members of Congress
when designing the surveillance regime (including, at a minimum, congressional
leadership and members of the applicable committees), [*537] as well as regular
briefings to appropriate personnel on the operation of the system and periodic
oversight hearings.
Of course, judicial review in the context of bulk collection won't necessarily look the
same as it does in the familiar setting of individualized monitoring of specific
targets. If investigators want to examine the telephony metadata associated with a
particular terrorism suspect, they can apply to the FISA court for a pen register or
trap and trace order upon a showing that the information sought is relevant to an
ongoing national security investigation. n61 But, as explained above, that kind of
particularized showing often won't be possible where authorities are dealing with
unknown threats, and where the very purpose of the surveillance is to identify those
threats. In these situations, reviewing courts may find it necessary to allow the
government to collect large amounts of data without individualized suspicion. This
doesn't mean that privacy safeguards must be abandoned and the executive given
free rein. Instead, courts could be tasked with scrutinizing the initiative's overall
structure and operation to determine its compatibility with constitutional and
statutory requirements. And courts further could require authorities to demonstrate
some level of individualized suspicion before accessing the data that has been
collected. Protections for privacy and civil liberties thus can migrate from the
collection phase of the intelligence cycle to earlier and later stages, such as the
systems design and analysis stages. n62
In more general terms, because programmatic surveillance involves the collection of
large troves of data, it likely means some dilution of the familiar ex ante restrictions
that protect privacy by constraining the government from acquiring information in
the first place. It therefore becomes critically important to devise meaningful ex
post safeguards that can achieve similar forms of privacy protection. In short,
restrictions on the government's ability to access and use data that it has gathered
must substitute for restrictions on the government's ability to gather that data at
all; what I have elsewhere called use limits must stand in for collection limits.
n63
This sort of oversight by the courts and Congress provides an obvious, first-order
level of protection for privacy and civil liberties--an external veto serves as a direct
check on possible executive [*538] misconduct. Judicial and legislative checks also
offer an important second-order form of protection. The mere possibility of an
outsider's veto can have a chilling effect on executive misconduct, discouraging
officials from questionable activities that would have to undergo, and might not
survive, external review. n64 Moreover, external checks can channel the executive's
scarce resources into truly important surveillance and away from relatively
unimportant monitoring. This is so because oversight increases the administrative
costs of collecting bulk data--e.g., preparing a surveillance application, persuading
the judiciary to approve it, briefing the courts and Congress about how the program
has been implemented, and so on. These increased costs encourage the executive
to prioritize collection that is expected to yield truly valuable intelligence and,
conversely, to forego collection that is expected to produce information of lesser
value.
The FISC approves virtually every application for an order with which it is presented.
According to Electronic Privacy Information Center (EPIC) statistics, the court denied
only five applications from its inception through 2006.40 In that time, it has
approved thousands of others, including a new high of 2176 in 2006.41 Of course,
[i]t is possible to draw divergent conclusions from this data. One could infer that
the extensive FISA safeguards have forced the Executive to self-censor its requests.
One could also argue, however, that the courts act merely as a rubber stamp
whenever the Executive invokes national security.42 Upon analyzing FISAs
structure and track record, the nature of electronic surveillance in service of
national security, and more general separation of powers and national security
lessons, it seems that something more like the latter is the ultimate result of FISA.
Limitations inherent in the project of judicial pre-approval of national security
surveillance render the system unable to perform the function for which it was
created; each of the problems described below mutually reinforces the others,
leading to systemic ineffectiveness. In the absence of the notice requirements
that attach in domestic surveillance, 43 and in light of the ex parte nature of FISC
proceedings, no opportunity for meaningful review may ever present itself.44 The
potential for abuse is substantial, since all applications remain sealed and
unavailable to the public, and since targets are never notified that they have been
under surveillance.45
1. Non-adversariality. One of the most striking elements of the FISA system is the
total absence of adversariality. Because the collection of intelligence in this context
requires by its very nature that the surveilled party not receive notice in advance,
the ex ante approval system is almost by definition also ex parte. This puts the FISC
in an anomalous position,46 in the words of the current Attorney General, similar
to that of a court reviewing FISA materials for admission in a criminal case. In such
situations, [t]he judge is forced not only to act as an arm of the prosecution in
weighing the prosecutions arguments about whether disclosure would or would not
compromise national security, but also to act as a defense lawyer in determining
whether the information is useful to the defendant.47 Similarly, in reviewing a FISA
application, the FISC must attempt the difficult, if not impossible, task of
simultaneously occupying the roles of advocate and neutral arbiter all without
the authority or ability to investigate facts or the time to conduct legal research.48
The judge lacks a skeptical advocate to vet the governments legal arguments,
which is of crucial significance when the government is always able to claim the
legislative action and limiting constructions applied by the courts themselves have
narrowed the FISCs authority even further. For example, when Congress amended
FISA to require only that national security be a significant purpose, rather than the
primary purpose, of the surveillance for which authorization is sought,60 the
FISCR read the statutory shift quite broadly. It held that when surveillance of a
foreign agent is undertaken for purposes of both national security and law
enforcement, the government need only entertain[] a realistic option of dealing
with the agent other than through criminal prosecution in order to satisfy the
test.61 The court reasoned that the new provisions eliminated any justification for
the FISA court to balance the relative weight the government places on criminal
prosecution as compared to other counterintelligence responses. 62 Yet this seems
a far less robust limit than the plain language or legislative history indicated:
importantly, the legislature considered and rejected requiring only a rather than
a significant purpose.63 Given a hint of statutory ambiguity, then, the court
effectively read the requirement of significant purpose out of the statute, resulting
in a regime of even less exacting scrutiny. Ultimately, [t]hrough a combination of
government tactics, the mandate of the FISA court, and federal court interpretations
of the FISA law, the FISA safeguards which were intended to balance individual
rights against the governments claims of national security have been essentially
eviscerated.64
As a result, [c]harging a panel of federal judges with insufficient background
information on specific cases, and little intelligence experience, with approving
foreign intelligence surveillance applications has resulted in an essentially rubber
stamp process where applications are practically never denied.65 Primary reliance
on judicial oversight will virtually always tend toward deference, both in exercising
jurisdiction and in determining individual cases.
Ex ante judicial review is not only of limited effectiveness, but it is also affirmatively
harmful in several respects. Ex ante judicial approval imparts a broader imprimatur
of validity than is warranted given the limited effectiveness of the review. Further, it
clouds accountability and can be a cumbersome and intrusive process harmful to
national security interests. In fact, the creation of FISA courts may actually have
resulted in fewer restrictions on the domestic surveillance activities of intelligence
agencies69 because [t]he secrecy that attends FISC proceedings, and the
limitations imposed on judicial review of FISA surveillance, may insulate
unconstitutional surveillance from any effective sanction.70
1. The Judicial Imprimatur. The issuance of an order by the FISC confers a stamp
of approval from the widely respected Article III courts. A FISC order makes a strong
statement that a neutral arbiter has looked closely at the situation and found the
surveillance warranted. Yet, as the set of limitations just discussed indicates, the
protective force of a FISC order may not align with the actual vigor of the inquiry.
This disparity may give rise to several problems. First, changed circumstances
following the issuance of the order may undermine the validity of the surveillance.
Minimization procedures are largely unhelpful in solving this problem: [T]he Act
provides for the same kind of incoherent and largely unenforceable minimization
requirements that plague criminal wiretap statutes.71 Much more importantly, the
judicial order may mask and indeed later provide cover for improper governmental
motives and improper intrusions on liberty.72 In these situations, ex ante review
may sanitize the improper surveillance. The presence of the judicial order may
function to dissuade legislative or executive oversight entities from inquiry. Worse,
judicial orders offer the potential for the government to hide behind the nominally
objective, even if only minimally rigorous, scrutiny that they represent.
Surveillance conducted for political reasons, for example, might escape detection,
condemnation, and consequences political, if not legal if that surveillance is
given judicial protection.73 Indeed, this sanitization could occur on an even broader
level: ex ante judicial approval interferes with the healthy public skepticism that
attends political actors and that may help keep the citizenry engaged in considering
the difficult tradeoffs between liberty and security necessary in this context. This is
not to say that the judiciary should decline to play a constitutionally permissible
role; rather, the point is that system designers concerned with protecting civil
liberties should keep in mind the drawbacks of ex ante approval. In total, the
capacity of ex ante approval to enable some of the most dangerous sorts of abuses
far outweighs its middling ability to provide a useful check.
circumstances takes place. First, 50 U.S.C. 1802 gives the Attorney General power,
upon written certification under oath, to authorize up to one year of electronic
surveillance directed at communications exclusively between or among foreign
powers or technical intelligence . . . from property or premises under the open
and exclusive control of a foreign power so long as there is no substantial
likelihood that the surveillance will acquire the contents of any communication to
which a United States person is a party and minimization procedures are complied
with. Second, under 1805(f), the Attorney General may authorize emergency
surveillance without court interference for seventy-two hours if he or she
determines that a standard FISA order could not be acquired in time and that there
is a sufficient factual basis for issuance of an order. Finally, for fifteen days
following a declaration of war, 1811 permits non-court-ordered, Attorney General
authorized surveillance.
Foreign intelligence surveillance occupies a unique spot in the Courts Fourth
Amendment jurisprudence.102 In Katz v. United States,103 the Court issued
perhaps its sternest statement on the obligation of obtaining a warrant prior to
exercising a search,104 while also extending Fourth Amendment protection to
include electronic surveillance. 105 Importantly, however, the Court expressly
reserved the issue of electronic surveillance in the national security context.106 In
United States v. U.S. District Court107 (the Keith case), the Court again focused on
the need for prior judicial scrutiny in rejecting the governments claim for an
exception to the warrant requirement in the domestic national security context.108
Yet once again, the Court made a crucial reservation: [T]his case involves only the
domestic aspects of national security. We have not addressed, and express no
opinion as to, the issues which may be involved with respect to activities of foreign
powers or their agents.109 It is thus an open constitutional question whether
foreign intelligence surveillance falls within an exception to the Fourth
Amendments warrant requirement.
While full argumentation for the proposition that the Fourth Amendment embodies
such an exception is beyond the scope of this Note,110 the case law is clear that
the true touchstone of the Fourth Amendment is reasonableness,111 such that
the Fourth Amendment only [s]ometimes . . . require[s] warrants.112 Especially in
light of the increasing number of exceptions to the warrant requirement,113 it
seems likely that an exception is appropriate in the context of foreign intelligence
surveillance for purposes of national security, not only in terms of meeting a more
formalist reading of the Fourth Amendment, but even more forcefully meeting a
functionalist reading, under which the improved protections of civil liberties could
render the decreased reliance on ex ante judicial review preferable under the Fourth
Amendment.
2. Policy Benefits. A proponent of a national security exception notes that [t]he
repeal of FISA . . . would simply effectuate the nations return to its previous
tradition.114 Yet the obvious retort is that the very abuses detailed in the Church
Committee report were a major product of that tradition. Still, the old tradition did
have some benefits that can be obtained by coupling the ex post reasonableness
role of reviewing courts with the political checks described above. For one, rather
than shielding meaningful inquiry, as ex ante review can, ex post review may
produce a renewed focus on Fourth Amendment principles115 by both the judicial
and political branches. Indeed, the more developed factual setting available in ex
post review would help with the effort to define reasonableness.
Further, it could be argued that since only a small number of people are likely to be
affected by surveillance, and especially given that those affected are likely to be
disfavored or underrepresented groups such as members of minority religions or
immigrants, the political process cannot be trusted to perform oversight. Yet ex post
judicial review would remain a powerful check if the government seeks to use FISAgathered information in other legal settings, such as criminal trials, habeas corpus
proceedings, or motions for prospective relief. Ex post reasonableness review thus
provides an important backstop to the oversight process.
IV. CONCLUSION
The current FISA system is illogical. Its purported benefits are at best questionable,
and it features serious drawbacks in terms of the efficient functioning of national
security surveillance and the numerous ways it undermines protections of liberty.
While the Senate bill falls short of instituting the sort of robust political checks
buttressed by ex post judicial review necessary to provide adequate protections, it
offers an important paradigm shift in the way that FISA is conceived. This
reconceptualization should be embraced and bettered by incorporating some of the
terms of the House bill, rather than rejected as insufficiently protective of the role of
the judiciary. Those concerned with protecting civil liberties should view an end to
reliance on ex ante judicial review as a chance to develop real political checks that
can vigorously protect both national security and liberty interests.
One promising move with regard to oversight and transparency has been the
establishment and staffing of the Privacy and Civil Liberties Oversight Board
(PCLOB). n186 This board, tasked with assessing many aspects of the government's
national security apparatus both for efficacy and for potentially unnecessary
incursions into civil liberties, has a broad mandate and, compared with many
national security decision makers, significant independence from the executive
branch. n187 Retrospectively, the PCLOB has, among other things, issued the highly
critical report of the NSA Metadata Program in January 2014 that led to further
public pressure on the Obama administration to curtail this program; it is promising
that the PCLOB's prospective agenda includes further analysis of various
surveillance programs. n188 However, the PCLOB's potential influence in protecting
civil rights may be limited by its position: The PCLOB is an advisory body that
analyzes existing and proposed programs and possibly recommends changes, but it
cannot mandate that those changes be implemented. The ability to have a high
level of access to information surrounding counterterrorism surveillance programs
and to recommend changes in such programs is important and should be lauded,
but over-reliance on the PCLOB's non-binding advice to the intelligence community
to somehow solve the accountability and transparency gap with regard to these
programs would be a mistake.
For example, on prospective matters, it is likely that intelligence agencies would
consult the PCLOB only if the agency itself considers the issue being faced new or
novel, as the NSA metadata program was labeled prior to its inception. In such
cases, decision makers within an agency generally ask whether the contemplated
program is useful or necessary, technologically feasible, and legal. If all three
questions are answered affirmatively, the program can be implemented. Now that
the PCLOB is fully operational, it seems likely that if a contemplated program is
considered new or novel, an intelligence agency would consult the PCLOB at some
stage of this process for its guidance on implementing the program. This
nonpartisan external input may improve self-policing within the [*102] intelligence
community and help intelligence agencies avoid implementing controversial
programs or, even if implemented, set better parameters around new programs.
n189
If the PCLOB is able to exert some degree of soft power in influencing national
security decision-making, then the judiciary represents hard power that could be
used to force the protection of civil liberties where it might not otherwise occur. The
FISC should be reformed to include a public advocate lobbying on behalf of
privacy concerns, making the process genuinely adversarial and strengthening the
FISC against charges that it merely rubber stamps applications from the intelligence
community. n190 Article III courts need to follow the lead of Judge Leon in Klayman
in conceptualizing privacy as broad and defensible, even in a world where
electronics-based communication is dominant and relatively easy for the
government to collect. If the judicial defense of privacy were combined with the
possibility of liability for violations of that privacy, it is likely that this would
incentivize increased self-policing among the members of the intelligence
community. The creation of an active PCLOB and a more adversarial process before
the FISC will not provide a perfect solution to the dilemmas posed by the
government's legitimate need for secrecy and the protection of the public against
potential abuse. Yet because these changes are institutional and structural, they are
well-placed to improve the dynamic between the intelligence community, oversight
mechanisms, and the public.
Conclusion
Genuine accountability should not depend on the chance that an unauthorized and
illegal leak will occur. In the comparative example of the United Kingdom,
engagement with a European Union energized with a commitment to increase
privacy protections, along with domestic parliamentary oversight, provide two
potential avenues for increased constraint on surveillance. In India, the parliament
and the courts historically enabled, not constrained, the intelligence community.
Whether that stance will continue as the government's technological capabilities
increase is yet to be seen.
Domestically, it could be argued that the types of reform recommended here to
improve actual accountability and transparency over programs like the NSA
Metadata Program are overkill: They involve multiple branches of government, the
PCLOB, and the public. However, much of the accountability apparatus that has
been in place was dormant until the Snowden disclosures, and would have remained
passive without those disclosures. A multi-faceted, long-term, structural approach
[*103] to improving transparency and accountability - one that involves at a
minimum the courts and the PCLOB, but hopefully Congress, the executive branch,
and the public as well - improves the likelihood of sustained and meaningful
accountability as new surveillance capabilities are developed and implemented.
3. The Demands of National Security. Finally, while the focus of this Note is on the
protection of civil liberties, the current system may also do a poor job of promoting
Programmatic surveillance thus can help remedy some of the difficulties that arise
when monitoring covert adversaries like international terrorists. FISA and other
particularized surveillance tools are useful when authorities want to monitor targets
whose identities are already known. But they are less useful when authorities are
trying to identify unknown targets. The problem arises because, in order to obtain a
wiretap order from the FISA court, the government usually must demonstrate
probable cause to believe that the target is a foreign power or agent of a foreign
power. n39 This is a fairly straightforward task when the target's identity is already
known--e.g., a diplomat at the Soviet embassy in Washington, DC. But the task is
considerably more difficult when the government's reason for surveillance is to
detect targets who are presently unknown--e.g., al-Qaeda members who operate in
the shadows. How can you convince the FISA court that Smith is an agent of a
foreign power when you know nothing about Smith--his name, nationality, date of
birth, location, or even whether he is a single person or several dozen? The
government typically won't know those things unless it has collected some
information about Smith--such as by surveilling him. And there's the rub.
Programmatic monitoring helps avoid the crippling Catch-22 that can arise under
particularized surveillance regimes like FISA: officials can't surveil unless they show
that the target is a spy or terrorist, but sometimes they can't show that an unknown
target is a spy or terrorist unless they have surveilled him.
If such a rule (with its exceptions) were in place, I believe that the government
could, in the present emergency, intercept all electronic communications inside or
outside the United States, of citizens as well as of foreigners, without being deemed
to violate the Fourth Amendment, provided that computers were used to winnow
the gathered data, blocking human inspection of intercepted communications that
contained no clues to terrorist activity. We know that citizens (and permanent
residents) can be terrorists operating against their country, even without any
foreign links. The United States has had its share of U.S. citizen terrorists, such as
the Unabomber and Timothy McVeigh and presumably whoever launched the
anthrax attack on the East Coast in October 2001. The terrorist bombings of the
London subway system in July 2005 were carried out by British citizens. And U.S.
persons who are not terrorists or even terrorist sympathizers might have
information of intelligence valueinformation they might be quite willing to share
with the government if only they knew they had it. The information that enables an
impending terrorist attack to be detected may be scattered in tiny bits that must be
collected, combined, and sifted before their significance is apparent. Many of the
bits may reside in the e-mails or phone conversations of innocent people, such as
unwitting neighbors of terrorists, who may without knowing it have valuable
counterterrorist informationone consequence of the jigsaw puzzle character of
national security intelligence.
A further question, however, is whether the Fourth Amendment should be deemed
to require warrants for such surveillance. The Keith case that I mentioned earlier
held that warrants are required for conducting purely domestic surveillance even
when the purpose is to protect national security, though the Court suggested that
perhaps the probable-cause requirement could be attenuated. It would have to be. If
the goal of surveillance is not to generate evidence of criminal activity but to detect
terrorist threats, including those too incipient to be prosecutable as threats, and
even threats of which the persons under surveillance may be unaware because the
significance of the clues they possess eludes them, then to insist that the
investigators establish probable cause to believe criminal activity is afoot will be to
ask too much. The amendments requirement of particularity of description of what
is to be searched or seized would also have to be relaxed for surveillance warrants
adequate to national security to be feasible, because intelligence officers will often
not have a good idea of what they are looking for.
Privacy is the terrorists best friend, and the terrorists privacy has been
enhanced by the same technological developments that have both made data
mining feasible and elicited vast quantities of personal information from innocents:
anonymity combined with the secure encryption of digitized data makes the
Internet a powerful tool of conspiracy. The government has a compelling need to
exploit digitization in defense of national security. But if this is permitted,
intelligence officers are going to be scrutinizing a mass of personal information
about U.S. citizens. And we know that people dont like even complete strangers
poring over the details of their private lives. But the fewer of these strangers who
have access to those details and the more professional their interest in them, the
less the affront to privacy. One reason people dont much mind having their bodies
examined by doctors is that they know that doctors interest in bodies is
professional rather than prurient; we can hope that the same is true of intelligence
professionals.
The primary danger of such data mining is leaks by intelligence personnel to
persons inside or outside the government who might use the leaked data for
improper purposes. Information collected by a national security data-mining
program would have to be sharable within the national security community, which
would include in appropriate cases foreign intelligence services, but not beyond.
Severe sanctions and other security measures (encryption, restricted access, etc.)
could and should be imposed in order to preventrealistically, to minimizethe
leakage of such information outside the community. My suggestion in the last
chapter that the principle of the Pentagon Papers case be relaxed to permit
measures to prevent the media from publishing properly classified information
would reinforce protection of the privacy of information obtained by national
security data mining.
I have said both that people value their informational privacy and that they
surrender it at the drop of a hat. The paradox is resolved by noting that as long as
people dont expect that the details of their health, love life, or finances will be used
to harm them in their interactions with other people, they are content to reveal
those details to strangers when they derive benefits from the revelation. As long as
intelligence personnel can be trusted to use their knowledge of such details only for
the defense of the nation, the public will be compensated for the costs of
diminished privacy in increased security from terrorist attacks.
force the court to tell the government that the desired target bore no relevance to a
terrorism investigation.
approved almost all warrant requests - as of 2006, the FISC had approved all but
five out of over 17,000 requests. n244 According to a Note written by the Harvard
Law Review, ex ante judicial review to conduct foreign surveillance may be
counterproductive and unworkable:
The [FISC] judge lacks a skeptical advocate to vet the government's legal
arguments, which is of crucial significance when the government is always able to
claim the weight of national security expertise for its position. It is questionable
whether courts can play this role effectively, and, more importantly, whether they
should. n245
Because the FISC has no way to evaluate the facts presented by the government, it
has to assume that the government-provided facts are correct. Problematically, the
FISC identified evidence of governmental misstatements and omissions of material
facts in seventy-five FISA applications. n246 This evidence did not come to light
until after the FISC issued the warrants. n247
Judges are also extremely deferential to claims of national security, especially when
they "must weigh the national security necessity ex ante, rather than being asked
to review it after the fact." n248 The Harvard Note argues that "ex ante judicial
review is not only of limited effectiveness, but it is also affirmatively harmful" in
that it "imparts a broader imprimatur of validity than is warranted given the limited
effectiveness of judicial review." n249 Hence, as the Note observes, ex ante judicial
review may impede security without providing any real privacy interest protection.
n250 Therefore, the Note argues that "Congress is better situated constitutionally
and better equipped institutionally to make the sort of value judgments and political
determinations that are necessary [*307] to fulfill FISA's purposes." n251 The Note
concludes that "those concerned with protecting civil liberties should view an end to
reliance on ex ante judicial review as a chance to develop real political checks that
can vigorously protect both national security and liberty interests." n252
At the same time, all of the ex ante restrictions will necessarily be poor proxies for
an ex post review of reasonableness. Instead of substituting for ex post review of
reasonableness, ex ante restrictions supplement those restrictions. Ex ante
limitations force the government to follow two sources of law: the reasonableness of
executing the warrant imposed by reviewing courts ex post, and the restrictions
imposed by the magistrate judge ex ante. If the ex ante restrictions happen to be
modest, or are drafted in a way that ensures that they are always less than or equal
steps to hide it.204 Finally, the reasonableness of retaining seized computers that
have already been searched depends on whether the government might need the
original computer as evidence or whether it ends up containing contraband that
should not be returned and is subject to civil forfeiture. 205
The magistrate presented with an application for a warrant simply cannot know
these things. Judges are smart people, but they do not have crystal balls that let
them predict the number and type of computers a suspect may have, the law
enforcement priority of that particular case, the forensic expertise and toolkit of the
examiner who will work on that case, whether the suspect has tried to hide
evidence, and if so, how well, and what evidence or contraband the seized
computers may contain. Magistrate judges can make ballpark guesses about these
questions based on vague senses of what happens in typical cases. But even
assuming they take the time to learn about the latest in law enforcement resources
and the computer forensics processenough to know about typical casesthey
cannot do more than come up with general rules that they think are useful for those
typical cases.
The errors of ex ante restrictions are particularly likely to occur because warrant
applications are ex parte. The investigators go to the judge with an affidavit and a
proposed warrant.206 The judge reads over the materials submitted. The judge can
modify the warrant, but his primary decision is whether to sign or reject it. The
entire process takes a matter of minutes from start to finish. No hearing occurs.
There is no testimony beyond the affidavit in most cases, and the affidavit usually
contains only standard language about computer searches.207 A prosecutor may be
present, but need not be. Obviously, no representative of the suspect is present to
offer witnesses or argument.
In that setting, judges are particularly poorly equipped to assess reasonableness.
The most they can develop is a standard set of ex ante restrictions that they use in
all computer warrants, perhaps one shared with other magistrate judges in their
district. More careful scrutiny is both impractical and unlikely. The ability of a
magistrate judge to assess reasonableness in that setting is a far cry from her
ability to rule on reasonableness in an ex post hearing, in which agents and experts
can take the stand and counsel for the defendant can cross-examine the agent,
offer his own witnesses, submit written briefs, and present oral argument.
The proper answer is no. Ex ante restrictions are unworkable and unwise for two
core reasons. First, the combination of error-prone ex ante judicial review and more
accurate ex post judicial review will result in systematic constitutional error. Instead
of requiring reasonableness, ex ante review will result in reasonable steps being
swept up with the wheat. The risk is especially acute with programmatic
surveillance, in which the government assembles large amounts of data in the
search for clues about a small handful of terrorists, spies, and other national
security threats. n71 Minimization is one way to deal with the problem. Minimization
rules limit what the government may do with data that does not appear pertinent to
a national security investigation--e.g., how long it may be retained, the conditions
under which it will be stored, the rules for accessing it, the purposes for which it
may be used, the entities with which it may be shared, and so on. Congress
appropriately has required intelligence officials to adopt minimization procedures,
both under FISA's longstanding particularized surveillance regime n72 and under
the more recent authorities permitting bulk collection. n73 But the rules need not be
identical. Because programmatic surveillance often involves the acquisition of a
much larger trove of non-pertinent information, the minimization rules for bulk
collection ideally would contain stricter limits on the use of inadvertently collected
information for purposes unrelated to national security. In other words, the
minimization procedures should reflect the anti-mission-creep principle described
above.