Intelligence Oversight

NSA General Counsel Glenn Gerstell Remarks on Section 702 Oversight

By Matthew Kahn
Friday, September 22, 2017, 1:13 PM

NSA General Counsel Glenn Gerstell delivered the following speech on September 14, 2017 at the Robert S. Strauss Center for International Security.

Good afternoon, and thank you for having me here today. I'd like to start by telling you a story about a former high school teacher in the Middle East. Somewhere along the way, this high school teacher became radicalized and joined a terrorist organization, rising through the ranks to become, at one point, the second-in-command of ISIS. He was known as Hajji Iman.

His transformation from citizen to terrorist landed Hajji Iman among the world's most wanted. The U.S. Treasury Department placed him on a list of Specially Designated Global Terrorists in 2014, and the State Department offered a $7 million dollar reward for information leading to him. As you might expect, his terrorist activities also made him a top focus of NSA's counterterrorism efforts.

The National Security Agency, along with its Intelligence Community partners, spent over two years looking for Hajji Iman. In close collaboration with the Intelligence Community, NSA developed a robust body of knowledge concerning Hajji Iman's personal network and produced intelligence on his associates that included their location. Eventually, NSA and its partners were able to consolidate all of their intelligence to identify the reclusive Hajji Iman and track his movements.

Ultimately, this collaboration enabled U.S. forces to attempt to apprehend Hajji Iman and two of his associates. On March 24, 2016, during the attempt, shots were fired at the U.S. forces' aircraft from Hajji Iman's location. U.S. forces returned fire, killing Hajji Iman and the other associates at the location. Moreover, NSA intelligence also confirmed that Hajji Iman - a key terrorist target - was in fact dead.

The search for Hajji Iman was ultimately successful primarily because of information obtained under one of our surveillance authorities known as Section 702 of the Foreign Intelligence Surveillance Act (FISA). Indeed, the foreign intelligence about the activities of Hajji Iman and his associates was the result of electronic surveillance under Section 702, and Section 702 collection also corroborated his ultimate demise.

As this story demonstrates, Section 702 represents one of NSA's most important intelligence surveillance authorities, and it provides tremendous value in the nation's fight against foreign terrorists. In fact, a few years ago, the Privacy and Civil Liberties Oversight Board reported publicly that more than a quarter of our international terrorism reporting was based in whole or in part on information collected under Section 702. But that's not all it contributes. Among other things, Section 702 also enables collection of information on foreign weapons proliferators and informs our cybersecurity efforts. The statute, however, is scheduled to sunset at the end of this year if it is not reauthorized by Congress. To say that losing this authority would be grave is an understatement; in truth, a failure to reauthorize Section 702 would place the U.S. at a perilous disadvantage, hindering our ability to identify and respond to threats against the nation and our allies.

The theme of this afternoon's conference is "Judicial Accountability for U.S. National Security and Counterterrorism Policies." In keeping with that theme, I'd like to focus today on Section 702 of FISA - one of our best weapons in the fight against terrorism - and the critical role that the judiciary plays in overseeing our activities under that authority. In my opinion - which admittedly, may be biased - intelligence surveillance under Section 702 embodies nearly all of the quintessential issues and challenges that could convene at the crossroads between judicial accountability and national security. For example, Section 702 itself is a relatively new amendment to the FISA statute, with less than a decade of legal and operational history. It was written to accommodate prior developments in technology, but also intended to adapt to future changes by remaining technology neutral. It also provides a detailed blueprint for the oversight role of the judiciary, assigning a level of responsibility to the Foreign Intelligence Surveillance Court (FISC) that is not within the customary "case or controversy" framework and, indeed, that extends beyond the traditional scope of judicial review. Finally, although the targeting of Americans is expressly prohibited by the statute, Section 702's reach implicates the Fourth Amendment privacy protections of U.S. persons.

In using 702 as a practical example of the application of judicial accountability and national security policy, it's obviously important to understand at the outset how and why Congress enacted Section 702. I will describe that process and then briefly describe how the statute operates in practice, including some of its unique requirements, prohibitions, and criticisms. Finally, I will examine the judiciary's vital role in ensuring that our operations under Section 702 meet the needs of our national security mission while also incorporating reasonable protections for the privacy of United States persons.

The Statute's Origins

Section 702's history begins nearly 40 years ago. Consider the communications of the 1970s. Email did not exist, fax machines were not yet ubiquitous, and smart phones were an object of the future. People communicated with their friends and neighbors mostly by telephones that were connected by land lines. International communications, however, were more commonly in the air, such as radio or satellite. When the government monitored international communications, the collection was conducted mainly through surveillance of these "wireless" type communications, which was either done overseas or, if domestic, did not involve compelling a service provider, so there was no need for specific statutory authority. It was in this more limited communications environment that the Foreign Intelligence Surveillance Act was enacted by Congress in 1978. FISA's language outlined the contours of a court-authorized process for conducting four specific types of electronic surveillance against foreign powers or their agents operating inside the United States. Its intent was to largely exclude from the statute's scope surveillance on foreign persons located outside the United States, and so Congress drafted FISA to distinguish between collection off of a wire and collection out of the air. Congress understood that, based on the technology of 1978, most surveillance of overseas targets would fall outside of FISA's reach because of the way it defined electronic surveillance.

With the advent of the internet and cellular telephones, the technological landscape completely reversed. Local calls were now mostly in the air, while transmission of international communications shifted from radios and satellites to subsea fiber optic cables. Suddenly, many international communications that would have generally fallen outside the scope of the FISA statute in 1978, when they were carried by radio or satellite, were now potentially included. The 1978 definitions of electronic surveillance hinged in part on the location at which collection occurred. This fact became significant as American internet and communications technology became globally dominant; people around the world started using American email systems and other applications. Our foreign intelligence targets were no exception, as they increasingly gravitated to communications services based in the U.S. As a result, if the government wanted to conduct electronic surveillance on a foreign target who was communicating overseas with another foreign target, it was increasingly the case that that collection potentially fell within FISA's scope as the point of collection was often a service provider here in the U.S. In many such cases, the only way that the government could obtain the foreign intelligence it needed was to get a FISA order. In order to obtain those orders, the government had to prepare the same type of FISA application - a traditional Title I FISA application - that it would submit when the surveillance was targeted at a U.S. person. These traditional Title I FISA applications required the government to demonstrate "probable cause" to believe that the proposed target was a foreign power or agent of a foreign power and that the target was using or about to use the targeted facility (such as a telephone number or email address). As you all know, proving the existence to a federal judge of "probable cause" is hardly a trivial matter.

This unintended and anomalous consequence involving how we treated foreigners proved costly to the government. Despite the foreign nature of the intended targets, in many instances the government was required to meet the same high standard that was in place to protect U.S. persons and persons inside the United States, who are entitled to Fourth Amendment protections. In practice, it simply was not possible for the government to process a lengthy traditional FISA application for each valid foreign target who happened to use a U.S. service provider to conduct his or her activities. The government instead had to focus its limited resources on only a small subset of the highest priority targets, which left many targets of foreign intelligence value outside the reach of our surveillance. In addition, there were cases in which the government simply did not have enough information about a foreign target to put together a traditional FISA application that would meet the high probable cause standard, even though the intended target was a foreigner located overseas and thus not entitled to Fourth Amendment protections.

We were thus faced with a conundrum: part of our mission involves collecting signals intelligence to defend our country from terrorist attacks and other plots, but we were at risk of letting individuals such as Hajji Iman go undetected simply because of an unforeseen byproduct of technological developments that forced the government to afford heightened privacy protections to foreign targets.

Recognizing the impediments created by this change in technology, the Bush administration and Congress addressed the issue by enacting Section 702 as part of the FISA Amendments Act of 2008. It was reauthorized again in 2012 with the support of the Obama administration. During both the initial enactment and the first reauthorization, Section 702 enjoyed significant bipartisan support in Congress. Congress's fix enabled the government to target for surveillance foreigners located outside the U.S. with the compelled assistance of U.S. service providers. Rather than requiring the government to submit individual applications for each target, Section 702 instead requires the Attorney General and the Director of National Intelligence to submit to the Foreign Intelligence Surveillance Court, or FISC, annual certifications describing the categories of foreign intelligence that the government is permitted to collect. The statute does not permit us to target foreigners indiscriminately, however. Instead, it demands that surveillance under Section 702 be conducted for the purpose of gathering foreign intelligence information, and each and every 702 target must fit within the scope of one of our approved certifications.

The Foreign Intelligence Surveillance Court

It was clear from the outset that Congress anticipated that the judiciary would play a critical role in ensuring that the collection activities carried out under Section 702 remained lawful. Indeed, in a 2008 opinion, the FISC Court of Review best explained the difficult exercise that courts undertake when overseeing national security programs, stating: "Our government is tasked with protecting an interest of utmost significance to the nation - the safety and security of its people. But the Constitution is the cornerstone of our freedoms, and government cannot unilaterally sacrifice constitutional rights on the altar of national security. Thus, in carrying out its national security mission, the government must simultaneously fulfill its constitutional responsibility to provide reasonable protections for the privacy of United States persons. The judiciary's duty is to hold that delicate balance steady and true."

Recognizing the importance of judicial accountability for foreign intelligence surveillance under FISA, Congress designed a specialized court authorized to operate in secret - the FISC - to encourage rigorous oversight of activities conducted under FISA. Even its structure is deliberately assembled to serve that purpose. FISC judges are selected by the Chief Justice to serve for up to seven years, on staggered terms, which guarantees continuity and subject matter expertise on critical issues. In addition, the FISC is required by statute to be composed of judges drawn from at least seven of the U.S. judicial circuits. This statutory makeup ensures that the FISC includes judges from a diversity of backgrounds and geographic regions, rather than a court that might tend toward unanimity of thought or particular judicial sympathies.

The FISC represents the linchpin of Section 702 oversight on behalf of the judiciary, with responsibility for adjudicating all of the government's surveillance applications submitted pursuant to FISA. Even with this specialized court in place, however, Section 702 can also be subject to collateral review by other federal courts. I will return later to this avenue of judicial accountability.

One of the inevitable consequences of the fact that the proceedings of the FISC must of necessity be at the classified level is that the public is denied the ability to see for itself how the judiciary holds the executive branch accountable in this arena. It's thus no surprise that some misperceptions will arise, which will be difficult to correct without resorting to classified information. For example, one oft-repeated criticism of the current FISA statute is that the FISC operates as nothing more than a "rubber stamp" for the government's activities. That could not be further from the truth. As one who has had the privilege of standing before the Chief Judge of the FISC at a hearing on an NSA compliance incident, I can personally attest to that. Each annual Section 702 certification application is reviewed by the FISC to ensure that it meets all statutory and constitutional requirements. Along with each annual certification application, the government must also submit for FISC approval two sets of procedures that it intends to use when conducting 702 collection. The FISC will approve the certifications and the accompanying procedures, thus permitting the government to engage in 702 collection, only when it is satisfied that they are consistent with both statutory and Fourth Amendment requirements.

The first set of procedures, called targeting procedures, is intended to ensure that only valid targets - foreign persons located outside the U.S. - are targeted for foreign intelligence collection. When foreign intelligence is collected on a valid target, however, Section 702 permits the government to collect both sides of that target's communications. Sometimes, this may include communications to or from, or that discuss information about, someone who is not the target of our surveillance. This is often referred to as incidental collection. The second set of procedures, referred to as minimization procedures, is intended to address incidental collection by laying out guidelines for the protection of any U.S. person information that happens to be incidentally acquired in the course of Section 702.

Indeed, one of the primary criticisms of Section 702 has revolved around concerns about the incidental collection of U.S. person information. The court system has proved to be instrumental in shaping the contours of permissible incidental collection during the course of surveillance, both for foreign intelligence and law enforcement purposes. In both the foreign intelligence and criminal contexts, courts have recognized that the identities of all persons who may contact or be contacted by a suspect (or a surveillance target) cannot be known. If the surveillance is otherwise lawful, the mere fact of incidental collection, on its face, does not render an acquisition unlawful. In fact, the Supreme Court reviewed this very circumstance in United States vs. Kahn. Kahn was a criminal case in which law enforcement obtained a Title III wiretap warrant on the home phone lines of Irving Kahn, a suspected gambling bookmaker. On the same day that Kahn called home to discuss gambling wins and losses, his wife Minnie also used their home phone to call a known gambling figure to discuss betting information. Minnie was then indicted along with her husband. The Supreme Court permitted the government to use Minnie's intercepted communications in her prosecution, recognizing that the wiretap warrant included language covering "persons yet unknown." The Court rejected Minnie's argument that the warrant's language amounted to a generalized warrant, because it permitted the acquisition of only those communications concerning particular gambling offenses and it required agents to minimize the interception of any innocent conversations.

Although Kahn involved a Title III criminal wiretap warrant, the underlying principles extend to the national security context. Part of the reason that incidental collection of U.S. person information under Section 702 has been tolerated by courts is due to the extensive procedures that we have in place to ensure that when such information is collected, it is handled appropriately and in a manner that protects the privacy of U.S. persons. It will not surprise you to know that the FISC looked specifically at the constitutionality of incidental collection in the 702 context in its very first opinion on 702 after the statute's enactment in 2008. After reviewing the government's original application for 702 certifications, the court recognized that 702 acquisitions may intrude upon interests protected by the Fourth Amendment to the extent that U.S. persons are parties to communications to or from a target. The FISC reviewed the two sets of targeting and minimization procedures proposed by the government for protecting U.S. persons and found that although the possibility of incidental collection "present[s] a real and non-trivial likelihood of intrusion on Fourth Amendment-protected interests," that possibility did not, by itself, "render the procedures unreasonable under the Fourth Amendment." Indeed, the FISC acknowledged that "the extent of such intrusion will be less in this context than in cases involving the intentional targeting of persons protected by the Fourth Amendment or otherwise lacking comparable targeting procedures."

Although incidental collection is a good example of the types of issues falling within the scope of judicial review, I can assure you that the FISC looks well beyond just the handling of incidentally collected information when reviewing the government's FISA surveillance activities. The FISC is entitled to call upon the assistance of amici when evaluating a novel or significant interpretation of the law or when it requires outside technical expertise. This amicus provision, which was added to FISA as part of the USA FREEDOM Act amendments in 2015, enables the court to draw upon additional expertise and outside perspectives when evaluating a proposed surveillance activity, thus ensuring that the FISC's oversight remains both robust and knowledgeable. The court has designated a pool of experts in national security to serve as amicus curiae at the court's request. Amici are specifically instructed to provide to the court "legal arguments that advance the protection of individual privacy and civil liberties," "information related to intelligence collection or communications technology," or any other legal arguments relevant to the issue before the court.

The FISC's amicus provisions are more than a mere statutory wink and nod to strong judicial oversight. The court has in fact called upon its amici to assist in evaluating Section 702 activities. In 2015, the FISC appointed an amicus to analyze what the court felt were two novel or significant interpretations of law that arose as part of its review of the government's annual application for 702 certifications. The first issue involved whether queries of 702 collection that are designed to return information concerning U.S. persons are consistent with statutory and constitutional requirements. The second question involved whether there were any statutory or constitutional concerns about preserving information collected under Section 702 for litigation purposes that would otherwise be subject to destruction under the government's minimization procedures. On both issues, the FISC carefully considered the views of the amicus, ultimately concluding that both of the proposed procedures were reasonably tailored to protect the privacy of U.S. persons and thus permissible under both the FISA statute and the constitution.

When it reviews our annual 702 certification applications, the FISC does not limit its inquiry to the four corners of the proposed certifications that we submit. The court instead carefully considers all information that might bear on the lawfulness of the government's Section 702 activities. For example, on an ongoing basis, the government is required to notify the FISC of any compliance incidents that arise while carrying out collection under Section 702. We continue to release (in redacted form) filings that capture many of our extensive interactions with the FISC on Section 702 activities. These filings are concrete examples of the meticulous inquiries that the FISC undertakes when examining electronic surveillance, in an effort to hold that delicate balance between national security and constitutional protections. The releases reflect the numerous hearings, written inquiries, and briefings that occur as the FISC reviews Section 702 activities and dissects areas of concern, including any relevant compliance incidents. These documents demonstrate just how accountable we are to our FISC overseers, and how seriously those judges take their responsibility to scrutinize our FISA surveillance activities.

Some Key FISC Opinions

I'd like to highlight briefly some of the key FISC opinions, both favorable and critical, so that you can get a tangible sense of how this judicial accountability works in practice. In 2008, as I discussed above, the FISC issued its first opinion on the 702 authority shortly after the FISA Amendments Act was passed. That opinion recounts the interactions between the court and the government as the FISC judge worked to fully understand how the government intended to implement its new Section 702 authority. Those interactions included a preliminary review by the court of the government's submissions, meetings with FISC staff to discuss the court's questions on the proposed targeting and minimization procedures, several written government submissions responding to FISC questions, and a hearing before the FISC on the application package. After all of these exchanges, the court ultimately found that the proposed 702 collection, if conducted in compliance with the government's targeting and minimization procedures, was reasonable under the Fourth Amendment and consistent with the requirements of FISA.

In 2011, however, the court's review of the government's annual 702 certifications entailed other considerations. Though the government originally filed its applications in April 2011, the FISC granted several extensions, spanning until October, to allow time for the government to better explain to the court certain newly described details about its "upstream" 702 collection, which involves the interception of internet communications as they transit the telecommunications backbone. The court ultimately granted in part and denied in part the government's applications, concluding that one aspect of the government's proposed upstream 702 collection was, in some respects, deficient on statutory and constitutional grounds. The discussion did not, however, end with this opinion. Instead, the court allowed the government 30 days to remedy the problematic portion of its collection. By late October, the government had submitted amended minimization procedures that included additional privacy safeguards, and the court concluded that these amended procedures remedied the deficiencies identified in its earlier opinion. The 2011 certification process, while protracted, is, in my view, an oversight success story. The court identified an area of concern and, in turn, the government worked hard to provide the court with technical information so that it could make an informed decision about our proposed activities. In response to the court's reasoned judgment, we tailored our procedures to remedy the perceived deficiencies.

I've already spoken about the court's use of FISA's amicus provisions while reviewing the annual 702 certifications in 2015, but the FISC's 2015 opinion is important for other reasons as well. Notably, although the FISC did approve our 702 certifications and accompanying procedures for 2015, it imposed additional reporting requirements on the government going forward, in a clear expression of its oversight authority. Specifically, the FISC ordered the government to submit three separate reports describing the government's implementation of particular targeting and minimization procedures, and it requested substantive updates, along with a hearing, on four different compliance issues discussed in its opinion.

Most recently, after initially submitting its application for renewal of the 702 certifications in the fall of 2016, the government self-reported to the FISC additional information regarding a previously-identified compliance incident involving our upstream collection under Section 702. In light of its concerns with this information, the FISC extended its time to review the 2016 certifications in order to better understand the scope of the compliance incident and ensure a thorough review. During the extension period, we decided that the most prudent course of action would be to stop conducting the type of upstream collection that was causing the compliance concerns, even though we appreciated that this curtailment would result in some intelligence losses. We accordingly amended the 2016 certifications and accompanying procedures in March of this past year to account for this change in our collection. As is evident in the recently-released opinion, the Court scrutinized the new scope of collection and how our amended procedures applied to that collection, ultimately concluding that the proposed activities were consistent with statutory and constitutional requirements. As in 2015, however, the FISC required additional reports and updates from the government to ensure that it maintains current oversight over our 702 activities. Among other things, we are required to submit written updates every 90 days on our implementation of the changes to our upstream collection activities.

Other Judicial Review

As I noted earlier, judicial scrutiny of Section 702 is not limited to the FISC in connection with its statutorily authorized duty to review FISA surveillance. In certain circumstances, challenges to surveillance programs can be brought in other federal courts across the country. One recent court case is particularly illustrative of the review of Section 702 outside of the FISC, and here is how it commenced:

A few years ago, a young man named Mohamed Mohamud was studying engineering at Oregon State University. He had emigrated to the U.S. from Somalia with his family when he was only three, and he later became a naturalized U.S. citizen. He grew up around Portland, Oregon, enjoying many typical American pursuits like music and the Los Angeles Lakers. In 2008, however, he was involved in an incident at Heathrow Airport in London during which he believed he was racially profiled by airport security. This incident set Mohamud on a path toward radicalization. He began reading jihadist literature and corresponding with other Al-Qaeda supporters. In 2010, he was arrested and indicted for his involvement in a plot to bomb the Christmas Tree Lighting Ceremony in Portland, which was scheduled to take place the day after Thanksgiving. He was eventually found guilty of attempted use of a weapon of mass destruction.

After the verdict but before his sentencing, the government provided Mohamud with a supplemental notice that it had offered into evidence or otherwise used or disclosed during the proceedings information derived from Section 702 collection. After receiving this notice, Mohamud petitioned the court for a new trial, arguing that any 702-derived information should be suppressed because, among other reasons, he claimed that Section 702 violated the Fourth Amendment. The federal district court considered Mohamud's claims before ultimately holding that 702 was constitutional. In so holding, the court found that 702 surveillance does not trigger the Fourth Amendment's warrant requirement because any collection of U.S. person information occurring as a result of constitutionally permissible 702 acquisitions occurs only incidentally and, even if it did trigger the warrant requirement, a foreign intelligence exception applies. The court also found that "the government's compelling interest in protecting national security outweighed the intrusion of Section 702 surveillance on an individual's privacy," so the 702 collection at issue in that case was reasonable under the Fourth Amendment.

Mohamud appealed the district court's ruling to the Ninth Circuit, where the Circuit Court again looked at the constitutionality of the 702 collection at issue, with particular scrutiny on incidental collection. The Ninth Circuit concluded that the government's surveillance in this case was consistent with constitutional and statutory requirements; even if Mohamud had a Fourth Amendment right to privacy in any incidentally-collected communications, the government's searches were held to be reasonable.

Though it might mark me as a Pollyanna, rather than finding these legal challenges to our programs onerous, I like to consider them encouraging demonstrations of the functionality of our system of checks and balances. Intelligence surveillance is a complex enterprise, and we don't want these types of activities carried out in a vacuum. As is true throughout our government, accountability to the judiciary, whether in closed FISC proceedings or public criminal cases, provides a critical and independent check against the Executive Branch in the national security context. Each time a federal judge takes a hard look at an authority like 702, it offers us a fresh perspective on our activities and affords us another opportunity to either further refine our program or take comfort in judicial validation of the manner in which we have been conducting our surveillance for national security purposes. At the end of the day, either outcome is positive for the American public.