Paging Devin Nunes: You'd better get yourself over to the White House to brief the President. Get this: The FBI is engaged in a pattern of incidental collection of information on US persons in the course of routine cybersecurity investigations. What's more, when agents do this collection, they are actually calling the US persons with threatening warnings.
Sound scary? Disturbing? Scandalous?
In fact, given all the public hoohah recently over incidental collection, I'd actually like to take a moment to thank the FBI for a recent incident of what appears to be incidental collection of communications about, well, me.
Several weeks ago, a few days after President Trump accidentally tweeted a Lawfare article I had written (I'm honestly not sure if the timing was a coincidence or not), I received a call from the FBI warning me that I was now the target of a spear-phishing operation and that I should take whatever steps I hadn't already taken to secure my accounts. The agent who called me was vague. He couldn't tell me much. And so I don't know for sure that the bad actor is abroad or that the information about this bad actor came as a result of surveillance. So yes, it's possible that this was some domestic identity theft ring, one of whose members had flipped and had delivered a list of targets that for some reason included me. Possible, I suppose, but not very likely. The vagueness and secrecy was much more consistent, at least in my judgment, with the news that I was on someone's target list having come from some kind of surveillance against some kind of target, probably but not certainly abroad.
Assuming that's the case—that the FBI was surveilling some cyber bad actor whose list of intended targets just happened to include me right after President Trump just happened to have tweeted a Lawfare post—then I would be an example of "incidental" collection, an example that is actually very similar to the collection about which Devin Nunes is reaching for the smelling salts with respect to the Trump transition. That is, people under presumably lawful surveillance had talked about me or written my name down, and the FBI had collected this information and was not using to take appropriate action: to wit, reporting it to me so that I could protect myself.
This surveillance might have been simple Title III surveillance under domestic criminal authorities. It might have been intelligence surveillance under either FISA or Executive Order 12333. Either way, information about me appears to have gotten swept up in collection targeted against others. Sound familiar?
It should. Compare it to the New York Times's account of the material that has so upset Nunes: "The intelligence reports consisted primarily of ambassadors and other foreign officials talking about how they were trying to develop contacts within Mr. Trump’s family and inner circle before his inauguration, officials said."
Exactly what has upset Nunes about this material is a bit of a moving target. Sometimes, it seems to be the fact of the unmasking of officials. Sometimes, it seems to be the fact of the incidental collection itself, with the implication being that the collection was some kind of reverse-targeted surveillance of the Trump transition itself. That's certainly the suggestion in Trump's own comments, the most recent of which was this tweet today:
— Donald J. Trump (@realDonaldTrump) April 3, 2017
To whatever extent there's some implication that there's something nefarious about incidental collection—an implication Trump shares with elements of the civil libertarian left, by the way—here's the thing: the incidental collection on me was by no means a problem for my civil liberties. In fact, it was a bit of a blessing for my civil liberties—for the simple reason that it allowed my friendly neighborhood FBI Field Office to give me a friendly neighborhood warning. And that, in turn, allowed me to be very careful about links people were sending me. (Similarly, incidental collection about how officials are planning to develop contacts among Trump's family and inner circle might quite reasonably inform intelligence product that would be useful to those people.)
Here's another thing: I am not special.
A lot of people and organizations get these warnings all the time. For example, Clint Watts, who testified the other day before the Senate Intelligence Committee, revealed:
On 26 October 2015, I authored a post at the Foreign Policy Research Institute (FPRI) entitled “Russia Returns As Al Qaeda And The Islamic State’s Far Enemy” noting: “The Russians have used social media driven information campaigns to discredit the U.S. for years. Facebook and Twitter remain littered with pro-Russian, Western looking accounts and supporting automated bots designed to undermine the credibility of the U.S. government.”
Just a few weeks later in November 2015, the FBI visited FPRI notifying their leadership that I had been targeted by a cyber attack. The FBI didn’t say who exactly had targeted me, but I had a good idea who it might be.
Any number of colleagues at universities, newspapers, and think tanks who do work in areas of interest to foreign intelligence services—including other Lawfare contributors, by the way—have received similar warnings. All of these people are "victims" of incidental collection, and I venture the guess that they're mostly grateful for the victimization.
My point here is that incidental collection in and of itself is not a bad thing. It's merely an inherent feature of surveillance. To say that the Trump transition was the subject of incidental collection communicates nothing of interest at all. Of course it was.
And guess what? So are members of Senate of the United States and the House of Representatives.
To know whether incidental collection is good or bad or neutral with respect to the civil liberties of its subjects, you have to know not merely that it occurred, but what happened to the information afterwards. In my case, it was a very good thing. And if for any reason there exists some intelligence reporting around the government that the FBI warned "US Person Number 437" about a spear-phishing attack planned against him after a presidential tweet, and if any official is wondering who that "US Person Number 437" may be, let me save you the trouble of asking the bureau to unmask him.
That would be me.
And please guys, feel free to incidentally collect on me like that any time you like.