FISA: Reform

On "Going Dark"

By Carrie Cordero
Saturday, July 26, 2014, 4:00 PM

Today’s Washington Post piece by Ellen Nakashima speaks of "going dark"---or the "growing gap between the government’s legal authority and its practical ability to capture communications."  The article highlights what is, in my assessment, the most significant long-term consequence of the Snowden disclosures: the increasingly adversarial relationship between the government and the private sector. What follows is my assessment of the operational harms that have resulted from the Snowden disclosures, touching on the issue discussed in Nakashima's piece, last.

There have been at least four different categories of operational degradation caused by the disclosures. First, there are the actions taken by terrorists, other nations and/or organizations or groups that believe (and may now have confirmation based on leaked documents) that they have been targets of NSA surveillance in the past. Armed with detailed information about how, where, and to some extent, against exactly whom, the NSA has been conducting surveillance, these targets have already or will soon change their behavior and operational security. In some cases, that may mean that the NSA will no longer have visibility on a particular target. In other cases, it may mean that Intelligence Community operators and analysts will devote additional time, effort and attention to discovering a target’s new methods of communication, if possible.

Second, there are the actions taken by the U.S. Government in the past year to scale back collection. Some of this scaling back is in accordance with the recommendations of two outside reviews that were conducted, one by the President's Review Group and another by the Privacy and Civil Liberties Oversight Board (PCLOB). The President adopted a series of interim reforms which he issued on January 17, 2014, through a new directive, Presidential Policy Directive 28 (PPD-28). PPD-28 provides both clarity regarding current practice for signals intelligence, and additional restrictions on collection, use and information sharing of foreign intelligence information.[1] In addition, the President announced that the government generally would no longer conduct collection activities against specific persons or official positions. The Executive Branch has “made determinations to not pursue surveillance on dozens of heads of state and government,” according to a senior administration official.[2]

In March 2014, the President announced specific changes that he directed be implemented immediately regarding the telephone metadata program.[3] Specifically, he informed the public that the metadata dataset would only be queried using two “hops” from the original “seed” telephone number; as opposed to prior practice, which permitted three “hops.” He also announced that, in a change from prior practice, the government would present each proposed seed number to the FISC for approval that the facts concerning that number meet the reasonable articulable suspicion standard (RAS) that the number is associated with terrorism. Prior practice enabled NSA analysts to select queries in accordance with internal agency pre-approval, and post-review oversight by the Department of Justice, but without prior Court approval. And, the White House stated that in the future, the data would reside with the telephone companies, not with the government. In the subsequent debate over legislative proposals concerning the telephone metadata program, at least one telecommunications carrier has questioned whether a system that requires the companies themselves to responds to government requests, and potentially facilitate the analysis of the data, amounts to an outside entity performing what is inherently a government function.[4] On June 18, 2014, the Department of Justice and Office of the Director of National Intelligence released a statement revealing that the government had sought, and the FISC had granted, an additional 90-day extension of the telephone metadata program, because legislation had not been enacted providing a new framework for the acquisition to continue in a different manner.[5]

Third, there is the coming legislative action. It now seems that Congress is close to passing a revised USA Freedom Act. I have not seen the text of the new bill that is expected to be introduced shortly, but I would expect that it will probably outlaw bulk collection under the FISA business records and pen register/trap and trace provisions, at least.

This approach has garnered significant support across the political spectrum. I think it is a mistake. Outlawing bulk collection under multiple statutory provisions may very well clash with national security imperatives in the future. Here is why: it is not unlikely that a terrorism or cybersecurity threat will present itself in a way that Intelligence Community operators and analysts will assess is important to obtain a certain type of information about, in order to counter the threat. Because much information in modern life resides in digital format, for a variety of reasons (including both speed and efficiency) it may be necessary to request a dataset that is larger than one, or one hundred, or one thousand. [6] The current House version of the USA Freedom Act, H.R.3361, outlaws bulk collection pursuant to these statutory authorities. Accordingly, it does not provide the Intelligence Community with flexibility to collect a dataset---one that might be large, but not nearly as large as the existing telephone metadata collection---under a statutory framework that involves oversight by the Department of Justice, the Office of the Director of National Intelligence, the FISC, and the Congressional oversight committees. As a result, a threat and need for a certain category of information may arise in the future, and policymakers and the President will be left with two choices: forego the collection altogether and risk failing to prevent the threatened activity; or, proceed under Executive authority alone.[7] Outlawing bulk collection is an over-correction.

Finally, operational degradation may also be a downstream effect of the increasingly adversarial relationship between the Executive Branch and the private sector, such as communications providers, as highlighted in Nakashima’s piece today. Companies are increasing efforts to develop and use encryption for data both at rest and in transit in order to make it harder for governments (and, not insignificantly, criminal actors) to access data.[8] Others are taking steps to ensure that they are not capable of complying with a government request even if they wanted to, by not holding more customer data than they absolutely have to.[9] Yet another is extending its fiber optic cable network in order to have greater control over it.[10] Companies may also be more likely to challenge government requests for information in national security cases, pursuant to legal process such as National Security Letters[11] or FISA orders. More challenges may also occur with respect to criminal investigative authorities, such as Electronic Communications Privacy Act (ECPA)[12] orders or pen register/trap and trace devices under criminal authorities.

Prior to the disclosures, there had been limited litigation initiated by the companies who were served with legal process under FISA (such as an order or directive) against the government. Under FISA, companies may challenge orders issued by the FISC under the pen register trap and trace provisions, and the business records provisions. They may also challenge directives issued by the Attorney General and Director of National Intelligence under section 702. Based on information that has been publicly reported to date, no provider has challenged a pen register/trap and trace order under FISA; at least one company unsuccessfully protested, on constitutional grounds, an order compelling bulk collection of telephony metadata under FISA's business records provision.

In addition, no company (again, at least according to publicly-available information), has challenged a directive issued under Section 702 of FISA. We now know that Yahoo did challenge a directive issued under the six-month, temporary law that preceded the FISA Amendments Act of 2008, the Protect America Act of 2007 (PAA). It appealed the directive to the Foreign Intelligence Surveillance Court of Review (FISCR). The FISCR’s decision was declassified and published in 2008. The Court found that the acquisition conducted under the PAA was reasonable under the fourth amendment, and further articulated the Court’s view that there is a foreign intelligence exception to the warrant requirement.[13]

This is not to suggest that a company should not challenge an order or directive received under FISA if it believes that the government request is unlawful, or overly broad in the scope of information requested, as examples. Rather, it is simply to observe that there will be a range of consequences to this increasingly adversarial environment: on one hand, companies may be more inclined than they were prior to June 2013 to challenge requests if there is any question regarding the scope of the request, the applicability of the statutory framework to the particular request, and/or the Constitutionality of the underlying statute. On the other hand, government personnel may become more reluctant to request private sector assistance using new methods of collection, due the perception---real or feared---that industry will not entertain requests to provide assistance.

Former DNI John M. (Mike) McConnell testified before Congress in September 2007 during the extensive public debate that occurred prior to the passage of the FISA Amendments Act of 2008 that:

[i]t is important to keep in mind that, in certain situations, the Intelligence Community needs the assistance of the private sector. We cannot "go it alone."[14]

The coming years could witness a significant degradation in the U.S. Intelligence Community’s ability to keep pace with the changing modes of communication of international terrorist organizations, hostile nation states and other national security threats, if there develops an increasing gulf between the government’s needs on behalf of protecting the public, and industry’s needs on behalf of its customers and investors. Indeed, one of the most significant, long-term, and damaging effects of the disclosures, from a national security perspective, may turn out to be the loss of productive cooperation between the government and the private sector, pursuant to lawful process, in order to enable the government to protect the nation from critical national security threats.

[1] For summary and preliminary analysis of PPD-28 and the speech, see Benjamin Wittes, “The President’s Speech and PPD-28: A Guide for the Perplexed,” (January 20, 2014), available at /presidents-speech-and-ppd-28-guide-perplexed. For an early reaction to the President’s January 17, 2014 speech, see Ritika Singh, “Lawfare Podcast #58: Lawfare Roundtable on President Obama’s NSA Speech,” available at /lawfare-podcast-episode-58-lawfare-roundtable-president-obamas-nsa-speech. See also, White House Fact Sheet on Review of Signals Intelligence http://www.whitehouse.gov/the-press-office/2014/01/17/fact-sheet-review-us-signals-intelligence.

[2] Federal News Service Transcripts, On-Background Conference Call to Preview the President’s Speech on Signals Intelligence Briefers: Senior Administration Officials, January 17, 2014

[3] On March 27, 2014, the Administration announced immediate changes to the telephone records program. See White House Fact Sheet: The Administration’s Proposal for Ending the Section 215 Bulk Telephony Metadata Program, http://www.whitehouse.gov/the-press-office/2014/03/27/fact-sheet-administration-s-proposal-ending-section-215-bulk-telephony-m. Several changes to the telephone program were made, including requiring advance approval by the FISC, identifying a goal of the data residing with the private sector. The President did not endorse an additional option that had been previously under consideration, housing the data with a private sector third party. See Carrie Cordero and Elizabeth Goitein, “The Third Party Metadata Idea is Fourth Rate,” Wall Street Journal, (March 10, 2014) available at http://online.wsj.com/news/articles/SB10001424052702303824204579421730751499624.

[4] See Statement for the Record of Michael J. Woods, Vice President and Associate General Counsel, Verizon, before the Senate Select Committee on Intelligence, Foreign Intelligence Surveillance Act (FISA) Reforms, (June 5, 2014) available at http://www.intelligence.senate.gov/140605/woods.pdf (stating that “national security is a fundamental government function and should not be outsourced to private companies.”) See also Carrie Cordero and Elizabeth Goitein, “The Third Party Metadata Idea is Fourth Rate, Wall Street Journal,” March 10, 2014, available at http://online.wsj.com/news/articles/SB10001424052702303824204579421730751499624.

[5] Joint Statement From the Office of the Director of National Intelligence and the Department of Justice on the Declassification of Renewal of Collection Under Section 501 of the Foreign Intelligence Surveillance Act (June 18, 2014), available at http://www.dni.gov/index.php/newsroom/press-releases/198-press-releases-....

[6] PPD-28 defines bulk collection as: “the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.). PPD-28, FN 5. There may be examples of datasets that include dozens, or hundreds, or thousands of persons’ records, metadata, or communications, that would not be on the scale of the telephone metadata program, but that would be necessary to collect for national security purposes in order to enable the Intelligence Community to analyze some subset of that data for the information or communications of valid foreign intelligence targets. Because “large quantities” is not defined, the Executive Branch will apply discretion as proposals arise, and providers may be likely to challenge any request that is even somewhat large based on the vague language of the text, if enacted.

[7] HR 3361 also limits the ability to obtain records under certain provisions of FISA according to a “specific selection term.” HR 3361 defines the “specific selection term” as: “a discrete term, such as a term specifically identifying a person, entity, account, address or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the government.” Available at http://beta.congress.gov/113/bills/hr3361/BILLS-113hr3361rfs.pdf. From this observer’s perspective, a likely effect of the “specific selection term” approach is that it will increase the likelihood for litigation of national security requests. As we know, the type of “terms” that may identify a “person, entity, account, address or device” changes as technology changes. And quickly. For example, is a Twitter hashtag a specific selection term” as defined in H.R. 3361? Arguably, yes. But for the “next Twitter” that creates a new “term” for identifying a “person, entity, account, address or device,” it is likely that that new company or provider might be more likely to litigate whether or not the term constitutes a “specific selection term.” Although the Administration has expressed support for H.R. 1361 and is therefore probably comfortable with the “such as” qualifier in the text, the better practice would be to not try to over-define terms in the statute.

[8] See David E. Sanger and Nicole Perlroth, “Internet Giants Erect Barriers to Spy Agencies,” New York Times, (June 6, 2014) (stating that Silicon Valley tech companies “are making it far more difficult – and far more expensive – for the National Security Agency and the intelligence arms of other governments around the world to pierce their systems.” Microsoft, for example, is litigating a request from the government pursuant to ECPA, seeking data from a customer that is stored in a Microsoft data center in Ireland. In the Matter of a Warrant to Search to Search a Certain E-Mail Account Controlled and Maintained by the Microsoft Corporation, Brief available at http://www.washingtonpost.com/r/2010-2019/WashingtonPost/2014/06/10/National-Security/Graphics/SDNY%20MSFT%20Brief.pdf. See Remarks by Brad Smith, Executive Vice President and General Counsel; Berlin, “Privacy and Trust in the Cloud,” available at http://www.microsoft.com/en-us/news/speeches/2014/05-19smith.aspx (May 19, 2014) (stating “we’re quite concerned that the U.S. government is going to magistrates in the context of national security cases and seeking warrants that are then, in effect, applied to data --- content data - - that resides in other countries.)

[9] See Amrita Jayakumar, “Encryption Company Silent Circle, Creator of Blackphone, Raises 30 Million,” Washington Post, (May 21, 2014,) available at http://www.washingtonpost.com/business/capitalbusiness/encryption-compan....

[10] See David E. Sanger and Nicole Perlroth, “Internet Giants Erect Barriers to Spy Agencies,” New York Times, (June 6, 2014), available at http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barri....

[11] Microsoft, for example, recently successfully challenged a national security letter request. See post by Brad Smith, Microsoft Executive Vice President and General Counsel, “New success in protecting customer rights unsealed today,” May 22, 2014, available at http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/05/22/ne....

[12] Microsoft is also challenging an ECPA order issued by a magistrate judge in the Southern District of New York for customer information held in a data center in Ireland. See John Ribeiro, “Microsoft Challenges U.S. Warrant Demanding Emails Stored Overseas,” PCWorld, (June 10, 2014) available at  http://www.pcworld.com/article/2362140/microsoft-challenges-us-warrant-t....

[13] No 08-01, In Re Directives [redacted] Pursuant to Section 105B of the Foreign Intelligence Surveillance Act, 551 F.3d 1004 (For.Intel.Surv.Rev. 2008).

[14] Statement for the Record, former DNI John M. (Mike) McConnell, Hearing on the FISA and the Implementation of the Protect America Act, September 25, 2007, available at http://www.dni.gov/files/documents/Newsroom/Testimonies/20070925_testimo...