Edward Snowden is on the move, in Moscow and reportedly heading towards Ecuador, but I will leave coverage of that to the daily press. I want to focus in this post on the latest of Snowden's major disclosures: two documents published by the Guardian laying out targeting and minimization procedures for surveillance under Section 702 of the FISA.
To be clear, I would not have posted these documents on Lawfare--and will not do so now. One is stamped "SECRET//COMINT//NOFORN//20320108." The other is stamped "TOP SECRET//COMINT//NOFORN//20320108." We are not in the business here of blowing classified programs. Parts of these documents made me wince when I read them, and I would prefer not to write about them at all. For those who want to read them, the Guardian has posted both the minimization procedures and the targeting procedures.
But I can't ignore either that these documents are out there now. And that being the case, they are already shaping in important ways the debate over 702 surveillance. The journalism around them has been alarmist and distortive. Slate writes that "Last week, President Obama claimed in an interview that the National Security Agency could not listen to Americans’ phone calls or read their emails. But newly revealed secret government documents---the latest in the series of high-profile leaks about classified surveillance---outline how the NSA can sweep up and store Americans’ communications." The New Yorker's Amy Davidson writes:
reading the new documents, which include a secret FISA court order that amounts to a gift certificate for one year of warrant-free spying, it becomes clear that many more “United States persons” have their communications monitored, and on much vaguer grounds, than the Obama Administration has acknowledged. “What I can say unequivocally is that, if you are a U.S. person, the N.S.A. cannot listen to your telephone calls, and the N.S.A. cannot target your e-mails,” the President said earlier this week. A 2009 memorandum signed by Eric Holder establishes a broader criteria, referring to people “reasonably believed” to be located abroad. That reasonable belief, as it turns out, can be quite shaky.
But reasonably understood, these documents should give Americans a lot of confidence that the government's internal, never-meant-for-release guidance to its people is consistent with the law, protective of civil liberties, and pervasively designed to avoid monitoring domestic communications and those of innocent Americans overseas. While parts of the documents are operationally revealing, much of the material at their heart, at least to my eyes, is not especially sensitive and could probably have been discussed publicly. If that's right, the government missed a huge opportunity to instill public confidence in this program by disclosing those aspects of its policies long ago.
What's more, the documents, now that they are public, beg certain questions---questions I think the government, in light of their release, would do well to address now to the maximum extent possible.
To flesh out these points, I'm going---with no small discomfort---to give a fairly dense summary of material I do not think should have been leaked. As I say, I would not have published these documents, but that ship has sailed. The question now is whether the debate will reflect anything like what they actually say.
The Targeting Procedures
The first of the memos outlines procedures for targeting individuals for collection in the first place. The law, after all, only allows bulk collection without an individualized warrant against targets the NSA reasonably believes to be non-US persons overseas. And it requires the FISA court to sign off on the procedures the agency uses to make that determination. So as a preliminary matter, it is important to emphasize that these procedures seek to implement a statutorily-authorized surveillance process and do so subject to judicial review. Here is what they require as a condition for targeting an individual for communications interception.
The NSA evaluates whether a person is a "non-United States person reasonably believed to be outside the United States" based on "the totality of the circumstances." The agency's analysts look to three different categories of information to make this judgment. First, they look at the "lead information" to determine what it says about the target's identity and the location of the facilities he or she is using for communications. Has the target said anything on the subject? Has a source said anything about who and where the target is? Have intelligence or law enforcement partners said anything? Whom has the person been in touch with, and does the pattern of contacts suggest anything about the target? Second, the agency looks to information it has "in its databases . . . to determine if the person's location, or information providing evidence about the person's location, is already known." Third, the agency will also engage in "technical analysis concerning the facility from which it intends to acquire foreign intelligence information" to see what it can learn that way. For example, it might identify the country code of a telephone number or look at the IP addresses for internet communications to see what it can glean about physical location.
Assuming the NSA reasonably believes, after this initial project, that the target is overseas, there's still the question of whether he may be a U.S. person. Sometimes, the same information will tend to answer both the location question and the status question, but sometimes it won't. So there's an additional layer of analysis focused only on the status question. To prevent accidental targeting of U.S. persons, the agency maintains a database of phone numbers and electronic communications accounts that it "has reason to believe are being used by United States persons" and are thus off-limits. So "[p]rior to targeting, a particular telephone number or electronic communications account/address/identifier will be compared against those records. . . ."
The default option is, on its face, permissive. In the absence of "specific information" suggesting that a potential target is a U.S. person, the procedures allow the NSA to presume that someone "reasonably believed to be located outside the United States or whose location is not known" is a lawful target---leaving some inadvertent collection against U.S. persons and some inadvertent domestic collection to the minimization requirements discussed below.
But it actually isn't enough to determine that someone is likely a non-U.S. person abroad to authorize collection against her under 702; the procedures also require that a potential target "possesses and/or is likely to communicate foreign intelligence information concerning a foreign power or foreign territory. . . ." And it lays out a series of factors the agency will use in making that assessment. Along the way, analysts have to document "the information that led them to reasonably believe that a targeted person is located outside the United States"---and the database of this documentation "will be reviewed" to make sure the documentation is adequate.
All that takes place before interception begins, but the assessment continues after interceptions commence. Such "post-targeting analysis" is intended "to detect those occasions when a person who when targeted was reasonably believed to be located outside the United States has since entered the United States." It also presumably flags cases where the reasonable belief turns out to be wrong. If, in the course of this ongoing analysis, it turns out that a target has entered the United States or is, after all, a U.S. person, the surveillance stops.
Finally, the procedures contain a number of internal executive oversight mechanisms and some key reporting requirements. Most importantly, NSA has to report to the Justice Department and the ODNI "any incidents of noncompliance" with the procedures "that result in the intentional targeting of a person reasonably believed to be located in the United States, the intentional targeting of a United States person, or the intentional acquisition of any communication in which the sender and all intended recipients are known at the time of acquisition to be located within the United States." And it has to report to the Justice Department and ODNI any time it "concludes that a person is reasonably believed to be located outside the United States and after targeting . . . learns that the person is inside the United States." It also, in this situation, has to "[T]erminate the acquisition without delay and determine whether to seek a Court order," and it must subject any communications acquired to the minimization procedures.
The procedures also allow "temporary" deviations from their terms "to protect against an immediate threat to the national security" but require all such deviations to be reported to the Justice Department and ODNI.
The Minimization Procedures
The law also requires that collection under Section 702 be subject to court-approved minimization requirements---that is, requirements that the agency not retain or disseminate material it inadvertently sweeps up that it is not allowed to collect. All bulk collection necessarily sweeps more broadly than legitimate foreign intelligence against legitimate targets, so the intelligence community has long used minimization as a way of limiting itself post-acquisition to those materials that fall legitimately within its purview.
The minimization requirements under Section 702 begin where the targeting procedures leave off. They require personnel to "destroy inadvertently acquired communications of or concerning a United States person at the earliest practical point in the processing cycle at which such communication can be identified" if it "does not contain foreign intelligence information" or "evidence of a crime." All such material acquired on U.S. persons must be destroyed within five years.
As communications get reviewed, analysts have to assess whether they pertain to a legitimate target and contain foreign intelligence information or evidence of a crime. Only those that do "may be processed." Communications that do not meet the standard for retention and that contain U.S. person information "will be destroyed upon recognition, and may be retained no longer than five years in any event." Communications that were the result of targeting of someone who was reasonably believed to be overseas but is, in fact, located domestically "will be treated as domestic communications. . . ."
All domestic communications "will be promptly destroyed upon recognition unless the Director . . . of NSA specifically determines, in writing," that the communication is legitimate foreign intelligence, contains evidence of a crime, contains "technical data base information . . . or information necessary to understand or assess a communications security vulnerability," or contains information "pertaining to a threat of serious harm to life or property." The NSA is allowed, if a domestic communication suggests that a legitimate target has entered the United States, to alert the FBI, and when domestic communications indicate evidence of a crime, it is allowed to give that information "to appropriate Federal law enforcement authorities. . . ."
Meanwhile, foreign communications involving U.S. persons can be retained and used only if necessary for the maintenance of technical databases, if it involves evidence of a crime, "if the identity of the United States person is deleted and a generic term or symbol is substituted," if the U.S. person has consented, or in certain other situations: if the U.S. person is meaningfully tied to a foreign power, if "the identity of the United States person is necessary to understand foreign intelligence information or assess its importance," of if the person may be "engaging in international terrorist activities," for example.
Like the targeting procedures, the minimization procedures contemplate emergency deviations in exigent circumstances, and they require that these be reported to the Justice Department and the ODNI.
These procedures strike me as quite reasonable, and more or less what one would expect based on a careful reading of Section 702. Anyone who is shocked by them simply did not understand the law. If you don't believe this, consider the relevant passage from the statutory text itself. It's hardly obscure:
Notwithstanding any other provision of law, upon the issuance of an order . . . the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.
An acquisition authorized under subsection (a)—
(1) may not intentionally target any person known at the time of acquisition to be located in the United States;
(2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;
(3) may not intentionally target a United States person reasonably believed to be located outside the United States;
(4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and
(5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.
(c) Conduct of acquisition
(1) In general
An acquisition authorized under subsection (a) shall be conducted only in accordance with—
(A) the targeting and minimization procedures adopted in accordance with subsections (d) and (e). . . .
. . .
(d) Targeting procedures
(1) Requirement to adopt
The Attorney General, in consultation with the Director of National Intelligence, shall adopt targeting procedures that are reasonably designed to—
(A) ensure that any acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and
(B) prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.
(2) Judicial review
The procedures adopted in accordance with paragraph (1) shall be subject to judicial review pursuant to subsection (i).
(e) Minimization procedures
(1) Requirement to adopt
The Attorney General, in consultation with the Director of National Intelligence, shall adopt minimization procedures that meet the definition of minimization procedures under section 1801(h) of this title or section 1821(4) of this title, as appropriate, for acquisitions authorized under subsection (a).
(2) Judicial review
The minimization procedures adopted in accordance with paragraph (1) shall be subject to judicial review pursuant to subsection (i).
- How many times has NSA had to report to DOJ and to the ODNI incidents of noncompliance with the targeting procedures that led to intentional targeting of U.S. persons?
- How many times has it had to report non-compliance that led to the intentional targeting of people reasonably believed to be in the United States?
- How many times has it had to report that a person reasonably believed to be outside of the United States turned out to be stateside?
- How often has it had to report that it had to deviate from its targeting procedures "to protect against an immediate threat to national security"?
- How often has it had to report that it had to deviate from its minimization procedures "to protect against an immediate threat to human life"? and
- What is the total volume of targeting under 702? In other words, do the errors the answers to the previous questions identify represent a high rate of system failure or a low one?
I am broadly comfortable with this law, and comfortable as well with these procedures implementing it. In any complex system like this, there's going to be some error rate. It would enhance my comfort level considerably to know---even in general terms---that these procedures are being followed, and that non-compliance, when it happens, is being reported and acted upon in a serious way.