I was sufficiently puzzled by Charlie Savage's story yesterday about NSA email monitoring that I waited a day to write anything about it. I'm still pretty puzzled by it, so I'm going to use this post to try to think through it.
Savage is not a bomb thrower but a serious guy, so let's assume the facts he reports to be true. His story describes NSA activity that sounds on its face way more aggressive than anything I have read before---specifically, the copying and scanning of the contents of vast swaths of emails coming into or leaving the United States for keywords indicative of threat. Yet according to Savage, this has been approved by the FISA Court, so there's at least some legal argument that it's proper under both FISA and under the Fourth Amendment.
I think that I have figured out at least most of what's going on here, and it may be a less big deal than it seems on it's face. But there is at least one big gap, and I may be missing things too. So take this is as very tentative.
I'm going to start by quoting all of the hard facts about the surveillance and the government's interpretation of the law that Savage reports:
Hints of the surveillance appeared in a set of rules, leaked by Mr. Snowden, for how the N.S.A. may carry out the 2008 FISA law. One paragraph mentions that the agency “seeks to acquire communications about the target that are not to or from the target.” The pages were posted online by the newspaper The Guardian on June 20, but the telltale paragraph, the only rule marked “Top Secret” amid 18 pages of restrictions, went largely overlooked amid other disclosures.
To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.
. . .
The official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”
. . .
The rule they ended up writing, which was secretly approved by the Foreign Intelligence Surveillance Court, says that the N.S.A. must ensure that one of the participants in any conversation that is acquired when it is searching for conversations about a targeted foreigner must be outside the United States, so that the surveillance is technically directed at the foreign end.
Americans’ communications singled out for further analysis are handled in accordance with “minimization” rules to protect privacy approved by the surveillance court. If private information is not relevant to understanding foreign intelligence, it is deleted; if it is relevant, the agency can retain it and disseminate it to other agencies, the rules show.
. . .
The senior intelligence official argued, however, that it would be inaccurate to portray the N.S.A. as engaging in “bulk collection” of the contents of communications. “ ‘Bulk collection’ is when we collect and retain for some period of time that lets us do retrospective analysis,” the official said. “In this case, we do not do that, so we do not consider this ‘bulk collection.’ ”
To distill this down to its essence, the FISA Court has approved very temporary mirroring of large volumes of communications to find information "about" potential targets; the government does not regard this mirroring as collection, because the material is not stored for any length of time. It involves the electronic scanning of one-end-overseas emails in bulk for comparison with certain keywords, with human monitoring only for those communications the electronic system then flags as of concern. U.S. person communications are subject to minimization procedures. And there appears to be some fetish about making sure the target of these interceptions is the overseas side of the communication, not the American side.
How can this be legal? Leave aside the Fourth Amendment question, for a minute. Where does FISA permit the government to intercept large volumes of U.S. person communications contents in order to decide whether a target is a U.S. person or someone whose communications are subject to interception?
I think the answer to this question lies in the specific text of the rule Savage cites but does not quote. Here it is in its entirety:
In addition, in those cases where NSA seeks to acquire communications about the target that are not to or from the target, NSA will either employ an Internet Protocol filter to ensure that the person from whom it seeks to obtain foreign intelligence information is located overseas, or it will target Internet links that terminate in a foreign country. In either event, NSA will direct surveillance at a party to the communication reasonably believed to be outside the United States.
In other words, the NSA is allowed---in deciding whether or not it can target Person X---to acquire communications "about" Person X, but only by acquiring communications of a party who is himself reasonably believed to be overseas. On its face, that is entirely reasonable; after all, the whole purpose of Section 702 is to authorize the bulk collection of material overseas. So there's nothing wrong with collecting material overseas about someone to determine whether that person is reasonable target.
The wrinkle here, and what makes Savage's story an interesting contribution, is that he reveals that the NSA is doing a lot of this, that is, is systematically targeting overseas emails that are heading into or out of this country for a kind of quick look for information about a target. As long as the agency is targeting the overseas end of these communications and using minimization procedures properly, this is really not very different from its traditional vacuuming up of satellite and radio transmissions, which we have long known includes one-end-in U.S. communications.
But that leaves a big oddity with respect to the story. The end of Savage's story reads as follows:
There has been no public disclosure of any ruling by the Foreign Intelligence Surveillance Court explaining its legal analysis of the 2008 FISA law and the Fourth Amendment as allowing “about the target” searches of Americans’ cross-border communications. But in 2009, the Justice Department’s Office of Legal Counsel signed off on a similar process for searching federal employees’ communications without a warrant to make sure none contain malicious computer code.
That opinion, by Steven G. Bradbury, who led the office in the Bush administration, may echo the still-secret legal analysis. He wrote that because that system, called EINSTEIN 2.0, scanned communications traffic “only for particular malicious computer code” and there was no authorization to acquire the content for unrelated purposes, it “imposes, at worst, a minimal burden upon legitimate privacy rights.”
The Bradbury opinion was echoed by a later Obama-era opinion by David Barron, and Bradbury later wrote an article about the issue. But here's the thing: If my read is right and the rule Savage cites permits only acquisition of communications "about" potential targets only from folks reasonably believed themselves to be overseas, these opinions are of questionable relevance. Indeed, if my reading is correct, why is there a Fourth Amendment issue here at all? The Fourth Amendment, after all, does not generally have extraterritorial application. This may be a reason to suspect that the issue is more complicated than I'm suggesting here. It may also merely suggest that someone cited to Savage a memo that is of questionable relevance to the issue at hand.