Sunday, June 22, 2008

The Key Questions About the New FISA Bill

Marty Lederman

We've invited David Kris to publish some posts explaining the new FISA bill. Check out his first two posts, just below David Luban's important Commander in Chief post. David K. was Associate Deputy Attorney General in charge of national security issues from 2000 to 2003, and before that he was in the Criminal Appellate section of the Criminal Division. He was widely regarded as one of the very best lawyers in the Department -- and became one of the most trusted, most well-respected authorities in the Department on criminal law and electronic surveillance issues once he moved on to the DAG's Office. As I've written here before, he's extremely thorough, careful, and impartial. We're thrilled to have his input here.

David's posts have prompted me to think about what might be the most important questions the new law will raise. There is a general sense out there that this new law gives the government substantially more powers to surveille communications of U.S. persons -- perhaps in ways that implicate the Fourth Amendment -- but there is, thus far, very little understanding of how that might be so, and how the new surveillance regime will differ from the one in place from 1978 to 2001.

David has begun to answer some of the more important questions. The answers to others remain hidden in the shadows and the vagaries of the law -- and some might never become public. But I think that the answers must be at the heart of any serious assessment of what Jack calls the "New Surveillance State" under which we will be governed very soon. I would be very grateful to David and other readers and bloggers -- and perhaps even the Congress! -- if they can provide further insight into what those answers might be. [This reminds me: The most troubling thing of all about the new statute is probably that virtually no one outside the executive branch has the slightest idea what it authorizes, or how, exactly it will work in practice. Folks such as David and I can provide our best guesses, but this opaque legislative process shares nothing in common with the extensive, transparent debate that occurred during the three years that FISA was under consideration. For more -- much more -- on these process issues and the possible technological practices that might be underlying this issue, I recommend a "Breakfast Table" discussion that David and I conducted at Slate with Orin Kerr and Patrick Keefe last year. Upon rereading it, it occurs to me that the more things change, the more they . . . remain inscrutable.]

But in any event, let's start with the key questions, below the fold . . .
QUESTION ONE: Why has the Administration been so desperate to "modernize" or to circumvent FISA, when its surveillance capabilities were already so extensive: (i) FISA doesn't regulate international-to-international phone calls at all, as long as a U.S. person in the U.S. is not a target; (ii) FISA doesn't regulate any communications intercepted overseas, even if they are international-to-domestic; (iii) to the extent FISA covers international-to-international e-mails intercepted from facilities in the U.S., everyone agrees it should not, and thus that would be an uncontroversial fix (at least assuming there's some way to identify such e-mails in the first instance); and, most importantly, (iv) the FISA Court must, and does, regularly authorize NSA surveillance whenever the agency can demonstrate probable cause that the target of its surveillance is a foreign power (including al Qaeda) or an agent thereof.

In light of all these significant authorities, why the desperate rush to legislate?

David provides the answer to this question, I think: The NSA wishes to be able to engage in what he calls "vacuum-cleaner" surveillance of U.S. facilities in circumstances where (i) there is no way of knowing in advance which calls are wholly international and (ii) there is no way of knowing in advance which of the targets of such vacuum-cleaner surveillance are foreign powers or their agents. The new law apparently will allow this sort of vacuum-cleaner surveillance by authorizing any and all surveillance "targeting . . . persons reasonably believed to be located outside the United States to acquire foreign intelligence information." Under this new standard, there's no need that the surveillance have any connection to al Qaeda, or terrorism, or even to national security. The only substantial requirements are that someone overseas be a "target" and that one "significant purpose" of the surveillance be to acquire "foreign intelligence information," which is very broadly defined to include most anything that occurs overseas and in which the federal government might have an interest (including information necessary to protect against the full range of foreign threats to national security, including both international terrorism and espionage, and information with respect to a foreign power that is necessary to the national defense or foreign affairs).

This sort of "vacuum" surveillance could not be approved under the old FISA scheme, which requires either that the calls be wholly international, or that the interception be made overseas, or that the NSA demonstrate evidence in advance that the target is an agent of a foreign power. Under the new law, the NSA can engage in surveillance where none of those three criteria are met. [NOTE: Many critics of the bill are focusing on the fact that there is no meaningful judicial review to ensure that each case of surveillance meets the new substantive standards. But because those substantive standards are now defined so broadly -- much, much broader than the "agent of a foreign power" standard under FISA -- I doubt that individualized court review to ensure compliance with the statutory standard would make much difference in terms of limiting the scope of surveillance. The real issue is what is permitted.]

QUESTION TWO: As a practical matter, what will the change in FISA coverage mean for the scope and breadth of NSA's interception of domestic-to-international communications involving U.S. persons?

When FISA was enacted, most Americans made very few international phone calls, and the birth of e-mail was many years away. Thus, the NSA's interceptions overseas did not have much of a practical impact on many communications of U.S. persons. Today, by contrast, many of us make innumerable, regular international communications, by phone, e-mail, and other electronic media. Although the NSA theoretically has the ability to intercept those communications overseas, it remains the case under FISA that not too many of our communications are intercepted -- at least not without proof that we are agents of a foreign power.

Under the new regime, presumably NSA (or its computers, anyway) will be permitted to intercept considerably more communications between U.S. persons here in the States and persons abroad -- perhaps even most of those international phone calls, e-mails and other communications, because the new law allows any interceptions of persons overseas if collecting "foreign intelligence information" is a significant objective.

Am I right about this? What is the real, practical difference between the volume and types of domestic-to-international communications that NSA could intercept under FISA until 2001, and those it can and will intercept under the new law? Is it as vast a difference as I am suggesting? I'm really not sure.

David's posts thus far have not quite addressed that question head-on; I hope he'll be able to speak to it further in future posts. Unless and until we learn the answer to this question in some meaningful detail, it will be very difficult for those of us not "in the know" to accurately evaluate the effect of the new law on our privacy -- and will make Fourth Amendment analysis exceedingly speculative and difficult.

QUESTION THREE: When, in the course of its surveillance of overseas targets, the NSA inevitably obtains vast amounts of information about U.S. persons who communicate with those foreign targets, what can the NSA do with that U.S.-person information? Can it permanently store the information? Allow human analysts to study it? Share the information with other agencies (including law enforcement agencies)? Perhaps most importantly -- Can the NSA plug the communications into its computer programs that search for key words, or for "metadata" patterns," so that those computers can identify U.S. persons for further surveillance?

The answer to this all-important question depends on the nature of the required "minimization." The new law will require the Attorney General to adopt minimization procedures consistent with FISA section 101(h). Section 101(h), in turn, requires that such procedures generally "minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons." So far, so good. The trick, however, is that such minimization need only be made "consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information." (And recall how broadly "foreign intelligence information" is defined.) Moreover, even where the information is not foreign intelligence information, section 101(h) permits "the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes." That is to say, even if you were not the original target of the surveillance, the government can make use of and disseminate information about you if your international phone calls or e-mails reveal evidence of any crime. And, of course, if those same communications provide evidence that you are an agent of a foreign power, that evidence can then be used to obtain an order for surveillance of your own phone and/or computer more broadly, under FISA itself.

The minimization requirements, in other words, are small solace: The government may not use or disseminate the information it incidentally obtains concerning U.S. persons . . . unless it has a (national security, foreign affairs or law enforcement) need to do so.

Now, the government quite understandably responds that these minimization requirements are nothing new: They are exactly the same as the requirements that apply when the government incidentally obtains information about U.S. persons from FISA surveillance, or from surveillance occurring overseas, which is not subject to FISA.

Which is true (I think). However, that fairly minor current problem expands exponentially where, as under the new law, the government has a vastly expanded reservoir of foreign-to-domestic communications from which it can cull information about nontargeted U.S. persons.

It seems to me, then, that "modernizing" and strengthening the old minimization standards, to deal with the vast expansion of NSA authority to "incidentally" obtain U.S. person information, and to deal with the explosion of international communications by U.S. persons, is a critical area for further study and possible amendment.

How important is the "exclusivity" provision as a check on even broader executive surveillance practices?

Not very important, I think -- not for several years, anyway. It'll probably be surplusage come January, because Senator Obama has virtually pledged that he would not assert a constitutional authority to disregard the law, and Senator McCain has suggested likewise. Even for President Bush in the next few months, it'll be a non-issue, but for a different reason -- namely, that the new law itself will allow him to do everything he wants, and therefore there will be no need for him to assert any constitutional authority to disregard. This passage from George Terwilliger on the News Hour the other night made the point quite well:
[The exclusivity provision is] very important. And it's important to understand the balance that was struck as to that provision itself. The reason the president had to resort to the [alleged constitutional] authorities that he used before this legislation was because what needed to be done couldn't be done under the old law. Now the procedures have been changed, and the authorization that's been given has been broadened sufficiently to make it possible to do what the intelligence professionals say we need to do, but to do it under these FISA proceedings.
In other words: The President will only violate the law when he thinks it's too restrictive, and this law is not restrictive at all, so there's nothing to worry about. The "balance that was struck," to which Terwilliger refers, is that the White House acceded to the exclusivity provision, in exchange for substantive standards so permissive as to ensure that the exclusivity provision will never be pertinent.

QUESTION FIVE: How can there ever be a meaningful adequate public accounting of the Bush Administration's lawbreaking from 2001 to 2007? After the telecom immunity goes into effect, the odds of a judicial assessment of the legality of the TSP will become increasingly slim. Thus, whether and when the public can ever find out about the extent of the lawbreaking -- and the evolution of the legal manipulation on which it was based -- will almost certainly depend upon whether the next President decides to allow a public accounting, something that will be very difficult for him to accomplish because of the NSA's and telecoms' insistence that everything about the TSP remain classified.

* * * *

Of course these aren't the only important questions. Others will include: whether the new law adequately protects against wholly domestic warrantless wiretapping; whether there is a sufficiently specific and limiting definition of "targeting"; whether the IG and congressional oversight is sufficiently rigorous; whether, as I suggested earlier, the directive that courts dismiss lawsuits against telecoms, regardless of the merits of such suits, raises an arcane constitutional problem; etc. And I'm sure I've missed several others.

But that's plenty for starters.


The procedures that need to be looked at closely are three: the targeting procedure, the minimization procedure and the continuation rules.

Since I don't know if David will address those that you haven't mentioned, I will stick to the minimization procedure. The data gathered under the targeting procedure is subject to minimization, and is to be processed in databases with data mining procedures, which include learning algorithms and statistical updates. Since the minimization procedures only require that data that must be minimized not be looked at by people, until their destruction after 4 days, they can be used as input to these data mining programs, updating weights, changing suspicions on people in the database, completing links in link analyses. Nothing in this bill says they need to be rolled back, and that was one thing the administration was adamant about getting, witness their comments on the Senate Judiciary Committee version which did include rollbacks.

The problem is, in a terrorism or threat style database, once in the database, a person's suspicion level will only increase, and it may increase because of data that has not been acquired as a result of any lawful document, just data that was later minimized.

If a person enters the database and subsequently rises to a level of suspicion worth pursuing a warrant for by data that is all unlawful to acquire, but lawful to use before disposing of, the effect is that anyone can become a target of suspicion.

Add to that that the continuation allows them to put together any scheme for data gathering, even one that cannot be approved, and use it until it runs through a complete set of rulings and appeals, again with no rollback if it finally ends up denied or fixed. It is possible to build databases that diffuse the data such that it never exists in a form that constitutes a breach of privacy directly (if read by a human being) but nevertheless exists. Stipulations about aggregate data in minimization procedures are meaningless if the data fits enough categories, because then it can be inverted (in the sense of a Radon transform or Galois connection) to produce individual data.

I have a hard time accepting that Mr. Kris is posting in good faith. First, his assertion that the government's claim about the ratio of satellite to wire communications for international telecommunications is merely exaggerated is overly generous. In the paper that serves as the basis for his posts here, he quotes Gen. Hayden (CIA head and former NSA head), Gen. Alexander (current NSA head), Adm. McConnell (Director of National Intelligence and former NSA head), and Kenneth Wainstein (Asst AG for National Security) all testifying to Congress making the same claim:

When FISA was passed, almost all international telecommunications were in the air.

This is not an exaggeration. This is a falsehood. All of these men are supposed to be experts on the subject. Are we to believe that somehow three directors of the NSA and our nation's top national security lawyer are all so woefully misinformed about the history of telecommunications that they inadvertantly made false statements to Congress? I think it is more likely that these men brazenly lied to Congress to achieve a political objective. Mr. Kris is trying to put some lipstick on this pig.

The leaks concerning the TSP and the statements of the DNI suggest that the TSP is monitoring captured telephone numbers and email addresses without possessing individualized probable cause for the people using these numbers. This falls between the standard wiretap warrant to gather criminal evidence and the speculation that NSA is conducting data mining of all telecommunications (something the DNI has denied without any dispute from the Intelligence Committee members who have been briefed on and observed the TSP).

The reforms of FISA offered in this bill would essentially ratify such surveillance.

What about criminal actions? Per John Dean on Countdown last week it looks like the people behind it may have forgot to shut the door on criminal prosecutions. Granted, the FISA statute limit is five years, but a proactive AG would be able to mount a prosecution.

Does VOIP services (particularly P2P networks) complicate the application of FISA?

I'm unsure of the precise architecture of those networks, but here's why I ask:

Would a P2P network that had a node in the US fall under the individualized warrant requirement of FISA?

the speculation that NSA is conducting data mining of all telecommunications . . .

is kind of like the speculation that the astronauts landed on the Moon.

Or wait, maybe it's more like the controversy in the "smoking and health controversy" that Philip Morris used in its public utterances. Not proven!

Prof. Lederman:

Under the new regime, presumably NSA (or its computers, anyway) will be permitted to intercept considerably more communications between U.S. persons here in the States and persons abroad -- perhaps even most of those international phone calls, e-mails and other communications, because the new law allows any interceptions of persons overseas if collecting "foreign intelligence information" is a significant objective.

The same technology needed to Hoover U.S.-to-foreign communications from the U.S. is the technology that will allow Hoovering of U.S.-to-U.S. communications. The only restraint is that of the persons or machinery doing the Hoovering and sifting. As long as that's done without the requirement for cause and oversight by someone other than the NSA and/or executive, expect abuses and line-crossing every time someone sees the need or value for such....


"The leaks concerning the TSP and the statements of the DNI suggest that...."

Typos there, "Bart".

"The self-serving leaks concerning the TSP and the statements of the DNI who has already been shown to have lied publicly about FISA and surveillance suggest that...."

Much better. And more accurate.


Post a Comment