Privacy And Civil Liberties Board Mostly Unconcerned About PRISM Or Backbone Tapping By NSA
from the that's-unfortunate dept
As expected, the Privacy and Civil Liberties Oversight Board (PCLOB) has now issued its analysis of the Section 702 surveillance done by the NSA (and, as revealed earlier this week, passed on to the FBI and CIA). You may recall that, back in January, the PCLOB issued a scathing report about the NSA’s Section 215 bulk data collection efforts, calling the program both illegal and unconstitutional. In contrast, the report on the 702 program is much more muted — claiming that the program is constitutional, legal and effective as a counterterrorism tool. Like the previous report, this new one is highly readable — and I recommend reading it in its entirety. However, the legal analysis is disappointing compared to the earlier report.
The report details how the program works, in a manner that doesn’t really reveal too much that’s new for folks who have been following all of the details over the past year, but does confirm the basics of how the Section 702 collections work — something that many, many people seem to be confused about. In short, the Section 702 program is made up of two different collections of information. The first is the infamous PRISM program, which is not as broad as many people have believed in the past. This is when, under FISA Court approval, various internet companies are given certain “selectors” related to non-US persons, and those companies are compelled to hand over the communications to or from that person:
In PRISM collection, the government sends a selector, such as an email address, to a United States-based electronic communications service provider, such as an Internet service provider (?ISP?), and the provider is compelled to give the communications sent to or from that selector to the government. PRISM collection does not include the acquisition of telephone calls. The National Security Agency (?NSA?) receives all data collected through PRISM. In addition, the Central Intelligence Agency (?CIA?) and the Federal Bureau of Investigation (?FBI?) each receive a select portion of PRISM collection.
This is different from the much more troubling “upstream” collection, which comes from directly tapping the internet backbone and basically sifting through everything possible to see if any triggers are hit. This is where the infamous “about” triggers are included. As we’ve been discussing, the NSA doesn’t just collect communications to and from targets, but also “about” them — and that all happens at the upstream level, rather than PRISM. Upstream is also where the NSA is able to collect audio communications as well.
Upstream collection differs from PRISM collection in several respects. First, the acquisition occurs with the compelled assistance of providers that control the telecommunications ?backbone? over which telephone and Internet communications transit, rather than with the compelled assistance of ISPs or similar companies. Upstream collection also includes telephone calls in addition to Internet communications. Data from upstream collection is received only by the NSA: neither the CIA nor the FBI has access to unminimized upstream data. Finally, the upstream collection of Internet communications includes two features that are not present in PRISM collection: the acquisition of so-called ?about? communications and the acquisition of so-called ?multiple communications transactions? (?MCTs?). An ?about? communication is one in which the selector of a targeted person (such as that person?s email address) is contained within the communication but the targeted person is not necessarily a participant in the communication. Rather than being ?to? or ?from? the selector that has been tasked, the communication may contain the selector in the body of the communication, and thus be ?about? the selector. An MCT is an Internet ?transaction? that contains more than one discrete communication within it. If one of the communications within an MCT is to, from, or ?about? a tasked selector, and if one end of the transaction is foreign, the NSA will acquire the entire MCT through upstream collection, including other discrete communications within the MCT that do not contain the selector.
While PRISM has been the sexy target for complaints due to its name and connection to easy target tech companies, the upstream sifting through the backbone has always been the much more troubling program, and this report confirms that.
Unfortunately, unlike the PCLOB’s report on the Section 215 program, here the PCLOB more or less throws up its hands over the possible legal and constitutional issues, insisting that it’s probably fine or that violations are “incidental.” The EFF has issued a scathing condemnation of the report, noting its most glaring weakness: a failure to recognize that the Constitution requires a warrant to collect any such data in the first place. The PCLOB seems to totally ignore this requirement, as the EFF points out:
The board skips over the essential privacy problem with the 702 ?upstream? program: that the government has access to or is acquiring nearly all communications that travel over the Internet. The board focuses only on the government?s methods for searching and filtering out unwanted information. This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other Internet communications, steps that occur before the PCLOB analysis starts. This content collection is the centerpiece of EFF?s Jewel v. NSA case, a lawsuit battling government spying filed back in 2008.
The board?s constitutional analysis is also flawed. The Fourth Amendment requires a warrant for searching the content of communication. Under Section 702, the government searches through content without a warrant. Nevertheless, PLCOB?s analysis incorrectly assumes that no warrant is required. The report simply says that it ?takes no position? on an exception to the warrant requirement when the government seeks foreign intelligence. The Supreme Court has never found this exception.
PCLOB findings rely heavily on the existence of government procedures. But, as Chief Justice Roberts recently noted: “the Founders did not fight a revolution to gain the right to government agency protocols.” Justice Roberts? thoughts are on point when it comes to NSA spying?mass collection is a general warrant that cannot be cured by government?s procedures.
Frankly, it does seem bizarre that the PCLOB fails to even consider the original collection and whether or not that violates the 4th Amendment. The Constitutional analysis in the report seems to leap over that question almost entirely, focusing just on the question of what the NSA hangs onto later. The brief discussion about the actual collection basically just says “well, this is tricky, because we’re not looking at a single instance, but rather an entire program — some of which may be Constitutional and some of which may be not, so we’ll just lump it all together and see if it meets the “reasonable” test.” That seems… questionable. If any part of the program is unconstitutional then that’s a problem. You don’t get to lump it all together and say that, on the whole, it’s probably Constitutional because most of the searches and collection would likely be allowed. Even as such, the PCLOB says that the program — especially the backdoor searches on Americans — pushes the program “close to the line of constitutional reasonableness” but probably not over it.
These features of the Section 702 program, and their cumulative potential effects on the privacy of U.S. persons, push the entire program close to the line of constitutional reasonableness. At the very least, too much expansion in the collection of U.S. persons? communications or the uses to which those communications are put may push the program over the line. The response if any feature tips the program over the line is not to discard the entire program; instead, it is to address that specific feature.
And, indeed, nearly all of the “recommendations” are to “address” minor aspects that the PCLOB finds to be potentially troubling, but without making any significant changes to the way either part of the program functions.
For example, concerning those “about” searches, the PCLOB basically says that it would be nice if they were limited, but that the NSA doesn’t really have a way to do that, so, oh well, what can you do?
With regard to the NSA?s acquisition of ?about? communications, the Board concludes that the practice is largely an inevitable byproduct of the government?s efforts to comprehensively acquire communications that are sent to or from its targets. Because of the manner in which the NSA conducts upstream collection, and the limits of its current technology, the NSA cannot completely eliminate ?about? communications from its collection without also eliminating a significant portion of the ?to/from? communications that it seeks. The Board includes a recommendation to better assess ?about? collection and a recommendation to ensure that upstream collection as a whole does not unnecessarily collect domestic communications.
Similarly, the PCLOB notes that, despite all of the information the intelligence community was willing to share with it, that did not include details of how many US persons were impacted by the program:
The government is presently unable to assess the scope of the incidental collection of U.S. person information under the program. For this reason, the Board recommends several measures that together may provide insight about the extent to which communications involving U.S. persons or people located in the United States are being acquired and utilized.
So, in short, on some of the biggest questions in front of the PCLOB, it basically says “Well, there’s not much we can do, but it would sure be nice if we had more info next time.” Blech. Shouldn’t those be the point at which the PCLOB says “Hey, wait, that’s unacceptable and illegal and needs to be fixed!”
While at first, it did seem that the report was ignoring the privacy rights of non-US persons, it does actually include a fairly thorough section on such privacy rights, and how those rights actually do have some built-in protections under the program. While it’s a low bar, it’s at least moderately reassuring that the program is not, as some assumed, designed to say “non-US persons have no privacy rights whatsoever.” The report also notes international law, and President Obama’s newly issued rules for protecting the privacy rights of non-US persons, but notes that those rules have not yet been fully implemented and could change the analysis.
In the end, the report does provide some valuable clarifications and explanations of what’s going on — but it’s disappointingly weak in the legal and Constitutional analysis. If you’re interested in the specific recommendations of the PCLOB, we’ve included them below, above the embedded report.
Regarding Targeting and Tasking:
- Recommendation 1: The NSA?s targeting procedures should be revised to (a) specify criteria for determining the expected foreign intelligence value of a particular target, and (b) require a written explanation of the basis for that determination sufficient to demonstrate that the targeting of each selector is likely to return foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. The NSA should implement these revised targeting procedures through revised guidance and training for analysts, specifying the criteria for the foreign intelligence determination and the kind of written explanation needed to support it. We expect that the FISA court?s review of these targeting procedures in the course of the court?s periodic review of Section 702 certifications will include an assessment of whether the revised procedures provide adequate guidance to ensure that targeting decisions are reasonably designed to acquire foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. Upon revision of the NSA?s targeting procedures, internal agency reviews, as well as compliance audits performed by the ODNI and DOJ, should include an assessment of compliance with the foreign intelligence purpose requirement comparable to the review currently conducted of compliance with the requirement that targets are reasonably believed to be non-U.S. persons located outside the United States.
Regarding U.S. Person Queries:
- Recommendation 2: The FBI?s minimization procedures should be updated to more clearly reflect the actual practice for conducting U.S. person queries, including the frequency with which Section 702 data may be searched when making routine queries as part of FBI assessments and investigations. Further, some additional limits should be placed on the FBI?s use and dissemination of Section 702 data in connection with non?foreign intelligence criminal matters.
- Recommendation 3: The NSA and CIA minimization procedures should permit the agencies to query collected Section 702 data for foreign intelligence purposes using U.S. person identifiers only if the query is based upon a statement of facts showing that it is reasonably likely to return foreign intelligence information as defined in FISA. The NSA and CIA should develop written guidance for agents and analysts as to what information and documentation is needed to meet this standard, including specific examples.
Regarding the Role of the FISA Court:
- Recommendation 4: To assist in the FISA court?s consideration of the government?s periodic Section 702 certification applications, the government should submit with those applications a random sample of tasking sheets and a random sample of the NSA?s and CIA?s U.S. person query terms, with supporting documentation. The sample size and methodology should be approved by the FISA court.
- Recommendation 5: As part of the periodic certification process, the government should incorporate into its submission to the FISA court the rules for operation of the Section 702 program that have not already been included in certification orders by the FISA court, and that at present are contained in separate orders and opinions, affidavits, compliance and other letters, hearing transcripts, and mandatory reports filed by the government. To the extent that the FISA court agrees that these rules govern the operation of the Section 702 program, the FISA court should expressly incorporate them into its order approving Section 702 certifications.
Regarding Upstream ?About? Collection:
- Recommendation 6: To build on current efforts to filter upstream communications to avoid collection of purely domestic communications, the NSA and DOJ, in consultation with affected telecommunications service providers, and as appropriate, with independent experts, should periodically assess whether filtering techniques applied in upstream collection utilize the best technology consistent with program needs to ensure government acquisition of only communications that are authorized for collection and prevent the inadvertent collection of domestic communications.
- Recommendation 7: The NSA periodically should review the types of communications acquired through ?about? collection under Section 702, and study the extent to which it would be technically feasible to limit, as appropriate, the types of ?about? collection.
Regarding Accountability and Transparency:
- Recommendation 8: To the maximum extent consistent with national security, the government should create and release, with minimal redactions, declassified versions of the FBI?s and CIA?s Section 702 minimization procedures, as well as the NSA?s current minimization procedures.
- Recommendation 9: The government should implement five measures to provide insight about the extent to which the NSA acquires and utilizes the communications involving U.S. persons and people located in the United States under the Section 702 program. Specifically, the NSA should implement processes to annually count the following: (1) the number of telephone communications acquired in which one caller is located in the United States; (2) the number of Internet communications acquired through upstream collection that originate or terminate in the United States; (3) the number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work; (4) the number of queries performed that employ U.S. person identifiers, specifically distinguishing the number of such queries that include names, titles, or other identifiers potentially associated with individuals; and (5) the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals. These figures should be reported to Congress in the NSA Director?s annual report and should be released publicly to the extent consistent with national security.
- Recommendation 10: The government should develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs.