Assessing the Review Group Recommendations: Part III

By Benjamin Wittes
Tuesday, December 31, 2013, 5:54 PM

In Parts I and II of this series, I focused on the Review Group recommendations from Chapter III of the group's report. Starting in this post, I turn to the recommendations of Chapter IV, which deal with collection under Section 702 and other authorities directed at non-US persons. This is, to my mind, one of the weakest sections of the report. There is relatively little in this chapter that I think has much value, and the chapter has a lot that is confusing, badly developed, and to my mind anyway, hard to justify on the merits. In this post, I deal with Recommendations #12 and #13.

One of the problems with the chapter is that it often isn't very clear what precisely the group is recommending relative to current law and practice. The explanatory text associated with the recommendations does not always do a very good job explaining the recommendations, and sometimes does not even seem that connected to them. So the reader is sometimes less than clear what the group wants to change about the status quo---or what it wants to change the status quo to.

Recommendation #12, the first recommendation in the chapter, is a good example of this problem. The chapter opens by surveying Section 702 collection and, while acknowledging its effectiveness, worrying that "it achieves [its] goal in a way that unnecessarily sacrifices individual privacy and damages foreign relations." It then recommends that "if the government legally intercepts a communication under section 702, or under any other authority that justifies the interception of a communication on the ground that it is directed at a non-United States person who is located outside the United States, and if the communication either includes a United States person as a participate or reveals information about a United States person":

(1) any information about that United States person should be purged upon detection unless it either has foreign intelligence value or is necessary to prevent serious harm to others;

(2) any information about the United States person may not be used in evidence in any proceedings against that United States person;

(3) the government may not search the contents of communications acquired under section 702, or under any other authority covered by this recommendation, in an effort to identify communications of particular United States persons, except (a) when the information is necessary to prevent a threat of death or serious bodily harm, or (b) when the government obtains a warrant based on probable cause to believe that the United States person is planning or is engaged in acts of international terrorism.

I'm a bit at sea about the third recommendation. The first strikes me as a wild overreaction to the facts the report alleges. The second just seems like a bad idea.

The concern that gives rise to these suggestions appears to be that though Section 702 does not allow the targeting of US persons, "Section 702 has a potentially troubling impact on the privacy of communications of United States persons because of the risk of inadvertent interception" and "incidental interception." Under current rules, as the Review Group notes, these problems are addressed using minimization requirements. But in the view of the Review Group, "this approach does not adequately protect the legitimate privacy interests of United States persons when their communications are incidentally acquired under section 702." The logical response to this problem, in my view, would have been to identify the specific deficiencies in the current minimization procedures and recommend improvements to them. But the Review Group instead suggests three broad principles---each of which seems at least a little off-base to me.

For starters, while the report's text is all about 702 collection, the recommendation clearly sweeps more broadly than 702. By its terms, it applies not only to 702 but also to "any other authority that justifies the interception of a communication on the ground that it is directed a non-United States person who located outside the United States." That's clearly a reference to collection under Executive Order 12333, which governs---among other things---electronic surveillance against non-U.S. persons overseas when the technical collection itself also takes place overseas.

To see how dramatic the change would be if one implemented this recommendation, let's compare both the relevant discussion in 12333 and under the 702 minimization procedures to subsection (1) of the recommendation, which would limit retention to material that "either has foreign intelligence value or is necessary to prevent serious harm to others." Under the minimization procedures, foreign communications involving U.S. persons can be retained and used if necessary for the maintenance of technical databases, if they involve evidence of a crime, “if the identity of the United States person is deleted and a generic term or symbol is substituted,” if the U.S. person has consented, or in certain other situations: if the U.S. person is meaningfully tied to a foreign power, if “the identity of the United States person is necessary to understand foreign intelligence information or assess its importance,” or if the person may be “engaging in international terrorist activities,” for example. Under 12333, Section 2.3:

Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:

(a) Information that is publicly available or collected with the consent of the person concerned;
(b) Information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations. Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons;
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
(d) Information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
(e) Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure. Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;
(f) Information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
(g) Information arising out of a lawful personnel, physical or communications security investigation;
(h) Information acquired by overhead reconnaissance not directed at specific United States persons;
(i) Incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws; and
(j) Information necessary for administrative purposes.
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

Depending on how one reads the recommendation, it could be seen as precluding a lot of these uses. But the Review Group never really says why, for example, lawfully-acquired material that is evidence of a crime should be purged. It does not suggest that there have been abuses of the authority to retain information "for administrative purposes" or where "the identity of the United States person is deleted and a generic term or symbol is substituted." Other than at the highest level of altitude, in fact, it doesn't really say what this reform would really remediate. If other words, the proposed change seems significantly in excess of what the Review Group identifies as the problem. That problem, in the Review Group's view, is three-fold. First, "when a United States person . . . communicates with a legally targeted non-United States person who is outside the United States, there is a significantly greater risk that his communication will be acquired under section 702" than if both people are in the U.S. or than if both people were U.S. persons. Second, it's hard to tell when people are or are not inside the US so mistakes happen. And third, the whole concept of "foreign intelligence value" is pretty vague. I can see how these concerns might justify tinkering with minimization requirements. But I can't see how it justifies radically narrowing the categories of information we permit the intelligence agencies to retain and process---particularly with respect to criminal activity.

This brings me to subsection (2) of the recommendation, which would create a kind of exclusionary rule for material collected about a US person in proceedings against that person. This seems indefensible to me conceptually. Imagine for a moment that NSA had lawful coverage of a major terrorist leader overseas. Imagine that a U.S. person then contacted this terrorist leader and NSA incidentally intercepted a communication in which he offered his services. Do we really want a rule that would exclude that intercept from a proceeding against the U.S. person? Why? I can see the argument for an exclusionary rule with respect to unlawful interceptions, but if the intelligence community is acting within its authority, I can't see the argument for excluding the fruits of entirely lawful surveillance. The Review Group's argument here seems to be that this is surveillance that would, under other circumstances, require a warrant as to the US person. But so what? Wiretaps implicate people who are not their targets (and against whom no warrant exists) all the time. More generally, authorities luck into good information frequently. We normally consider that a good thing to the extent they are behaving appropriately.

I am less certain I understand the contours of subsection (3) or how significant a change it would be. Specifically, I do not know the current rules that govern the circumstances under which authorities can search for the communications of a specific U.S. person in databases of lawfully collected material absent a warrant or a threat of serious bodily injury. I'm not even sure the guidelines here are public. If any readers have a sense of that they look like now and how big a change this would be, I would be interested to learn more. At a minimum, though, the restriction in (3)(b) to situations in which the government has a warrant that the US person is planning "acts of international terrorism" seems to me much too narrow. Should the government now be able to search for communications with a warrant in an investigation of a US person for plotting a coup against an allied government? What about if the government has a warrant in an investigation of a US person for espionage or trafficking in nuclear materials or human trafficking?

For all these reasons, I cannot see the administration embracing Recommendation #12 in anything like the form the Review Group has put it forward.

Whether Recommendation #13 represents a similarly dramatic step or merely a reiteration of current policy largely depends on how one interprets the words "national security." The recommendation is cast as a reaffirmation that 702 and 12333 surveillance are "authorized by duly enacted laws or properly authorized executive orders," not directed at illegitimate ends, exclusively directed at the "national security of the United States or our allies," and not disseminating information about non-US persons that is not relevant to that goal. (It also reaffirms that surveillance is not conducted solely based on people's speech or religion and that surveillance is subject to careful oversight.) I see no problem with this recommendation to the extent that one interprets the words "national security" as including all of the foreign policy interests of the country for which policymakers rely on intelligence. If one interprets, by contrast, national security as referring only to the military and security-oriented uses of intelligence (preventing terrorism, learning the military capabilities and intents of adversaries, etc.), then this recommendation would not be a reaffirmation of current policy but a significant change in it. And that change would be a bad idea. I can't imagine that the Review Group here meant to suggest forswearing non-security-oriented espionage against non-US persons overseas. So assuming the administration treats the words "national security" in its broadest sense, I see no reason why it wouldn't embrace this recommendation.