I have refrained so far from commenting on this fascinating article by Cato’s Julian Sanchez---to which Raffaela linked yesterday---which outlines a new theory as to how the crisis developed in 2007 that led to, first, the Protect America Act and later to the FISA Amendments Act. I refrained because it took a while for me to figure out what I think of it. Or, rather, it has taken me a while to decide that I still don’t know what I think about. But it seems like a very plausible theory to me, so I thought I would draw some attention to it and perhaps stir some discussion among Lawfare readers. To put the matter simply, Sanchez hypothesizes that there may be a link between cable deregulation and the still-mysterious ruling by the FISA court that spurred Congress to enact the PAA. And he has a tantalizing public source for his theory.
The history here is dense, but here’s the barest of outlines. The Bush administration had its warrantless wiretapping program, which initially circumvented FISA. Some time after the New York Times disclosed the existence of the program, however, the government announced that it had reached an understanding with the FISA court as to how to bring the program---the details of which are still classified---under the auspices of the FISA. This arrangement, however, did not last long. In 2007, something spooked the FISA court, and it issued a ruling that triggered a crisis---in which the intelligence community asserted that important areas of collection would grind to a halt if Congress did not act. That provoked Congress first to pass a temporary measure (the PAA) and later a more permanent bill: The FAA, which is now up for renewal.
Sanchez, writing in Wired and drawing on the new edition of a treatise on national security law by David Kris and J. Douglas Wilson, has developed an intriguing theory of what happened:
Thanks to whistleblower Mark Klein, formerly an engineer at AT&T, we know that the NSA maintained a series of secret rooms at the offices of major telecommunications companies, where the entire stream of Internet traffic was copied and diverted into a sophisticated piece of surveillance equipment: the Narus Semantic Traffic Analyzer. The NSA could then program the device to filter out and record particular communications for human review according to selected criteria, such as e-mail or IP addresses, and probably also particular keywords in the e-mails themselves.
Initially, this almost certainly would have been classified as “electronic surveillance” of a “wire communication” under FISA, one of four somewhat complicated categories of “electronic surveillance” defined by the statute. Specifically, it would have been covered by 50 U.S.C. 1801(f)(2), which requires a warrant for the “acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication to or from a person in the United States.” Crucially, FISA’s definition of a “wire communication” covered any communication– telephonic or digital — in transit over facilities operated by a “common carrier.” This is actually a bit of an anachronistic holdover specific to FISA: The statutes governing criminal wiretap investigations were amended in 1986 to make a provider’s “common carrier” status irrelevant, but the language in FISA remained.
Then, in 2005, came the Supreme Court’s decision in National Cable & Telecommunications Services vs. Brand X Internet Services. On its face, the case had nothing to do with surveillance, but with the contentious debate over “net neutrality.” In 2002, the Bush-era FCC issued a controversial deregulatory ruling stating that broadband Internet over cable wires should be classified as an “information service,” rather than a “telecommunications service” (like traditional telephone service).
Small ISPs like Brand X, as well as supporters of government-enforced “net neutrality,” argued that federal law required broadband to be classed as a “telecommunication service” subject to “common carrier” requirements — just as phone companies are. That designation means, in part, that they had to make their infrastructure available at low cost to competitors.
The Supreme Court ultimately rejected that argument, finding that the FCC had discretion to decide how cable broadband should be categorized, even if there were grounds to question that choice. The FCC promptly acted on that ruling, but provided for a one-year transition period before those common carrier requirements entirely expired.
This gives us a conspicuous coincidence: The mysterious FISC decision described by Boehner would have happened shortly after broadband providers were freed of the last vestiges of “common carrier” status.
“If FISA’s reference to ‘common carrier’ were interpreted in accord with the Communications Act,” Kris and Wilson explain, explicitly citing the Brand X decision, “information (such as e-mail) being carried on a cable owned and offered by a cable modem service provider would not be a ‘wire communication’ under FISA, and acquisition of such information would not be ‘electronic surveillance’ under” the definition that applies to traditional phone calls.
But then, what would it be?
The most likely answer, as Kris and Wilson argue, is that such digital eavesdropping would now be covered by 50 U.S.C. 1801(f)(4), which was originally primarily intended to cover surveillance using hidden microphones or cameras, but now also governs the acquisition of stored e-mails and documents from U.S. servers. This definition explicitly excludes surveillance of a “wire communication,” which means it would not have applied so long as Internet providers were considered “common carriers,” but otherwise covers any “installation or use” of a surveillance device “for monitoring to acquire information under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes.”A surveillance system that targets known foreigners or foreign IP addresses could run afoul of that definition even if it scrupulously avoided intercepting their communications with Americans, because it departs from the standards that apply to “wire communications” in several important ways. Instead of specifically requiring a warrant to intercept the “contents” of a message, it covers any kind of “monitoring to acquire information.” Instead of turning on the location of the senders or recipients of a communication, it applies whenever “a person” –not limited to the parties to the communication, and so potentially including also the provider itself — has some reasonable expectation of privacy.
Finally, it depends on whether comparable surveillance for law enforcement purposes would require a warrant, and in many cases it’s clear that the statutes governing both “live” interception and acquisition of stored communications for criminal investigations would require a warrant, regardless of the user’s location.
In other words, a regulatory change having no obvious connection to NSA surveillance could have suddenly knocked out the legal basis for the NSA’s ongoing Internet surveillance program, and left the telecoms with serious doubts about whether the law allowed them to continue providing technical assistance with that program.
I am not prepared to endorse this theory, but I do think Sanchez’s article is well worth a close read---particularly since the inclusion of a discussion of Brand X in the new edition of the Kris-Wilson treatise is at least suggestive. Kris, of course, ran the Justice Department’s National Security Division until last year, so surely knows the classified underpinnings of the controversy. As Sanchez notes, “Though the authors repeatedly stress that their analysis never relies on classified information, it seems unlikely Kris would devote substantial time and space to an issue he knew to be an irrelevant tangent.”
I would be very interested in hearing from people with expertise in this area as to whether Sanchez’s theory may have legs.
UPDATE: Sanchez writes in an email:
I should clarify: A substantially similar discussion of Brand X was also in the earlier 2007 edition. What's new in the 2012 edition is the discussion of reasons for the FAA "modernization," which alludes to the problem of obtaining stored email under the (f)(4) definition, but conspicuously avoids saying anything about "live" Internet communications. But the discussion makes very little sense if email were still available "off the wire" under the (f)(2) standard, and but for Brand X, it seems clear it would be.