Privacy And Civil Liberties Board Mostly Unconcerned About PRISM Or Backbone Tapping By NSA

from the that's-unfortunate dept

As expected, the Privacy and Civil Liberties Oversight Board (PCLOB) has now issued its analysis of the Section 702 surveillance done by the NSA (and, as revealed earlier this week, passed on to the FBI and CIA). You may recall that, back in January, the PCLOB issued a scathing report about the NSA's Section 215 bulk data collection efforts, calling the program both illegal and unconstitutional. In contrast, the report on the 702 program is much more muted -- claiming that the program is constitutional, legal and effective as a counterterrorism tool. Like the previous report, this new one is highly readable -- and I recommend reading it in its entirety. However, the legal analysis is disappointing compared to the earlier report.

The report details how the program works, in a manner that doesn't really reveal too much that's new for folks who have been following all of the details over the past year, but does confirm the basics of how the Section 702 collections work -- something that many, many people seem to be confused about. In short, the Section 702 program is made up of two different collections of information. The first is the infamous PRISM program, which is not as broad as many people have believed in the past. This is when, under FISA Court approval, various internet companies are given certain "selectors" related to non-US persons, and those companies are compelled to hand over the communications to or from that person:
In PRISM collection, the government sends a selector, such as an email address, to a United States-based electronic communications service provider, such as an Internet service provider (“ISP”), and the provider is compelled to give the communications sent to or from that selector to the government. PRISM collection does not include the acquisition of telephone calls. The National Security Agency (“NSA”) receives all data collected through PRISM. In addition, the Central Intelligence Agency (“CIA”) and the Federal Bureau of Investigation (“FBI”) each receive a select portion of PRISM collection.
This is different from the much more troubling "upstream" collection, which comes from directly tapping the internet backbone and basically sifting through everything possible to see if any triggers are hit. This is where the infamous "about" triggers are included. As we've been discussing, the NSA doesn't just collect communications to and from targets, but also "about" them -- and that all happens at the upstream level, rather than PRISM. Upstream is also where the NSA is able to collect audio communications as well.
Upstream collection differs from PRISM collection in several respects. First, the acquisition occurs with the compelled assistance of providers that control the telecommunications “backbone” over which telephone and Internet communications transit, rather than with the compelled assistance of ISPs or similar companies. Upstream collection also includes telephone calls in addition to Internet communications. Data from upstream collection is received only by the NSA: neither the CIA nor the FBI has access to unminimized upstream data. Finally, the upstream collection of Internet communications includes two features that are not present in PRISM collection: the acquisition of so-called “about” communications and the acquisition of so-called “multiple communications transactions” (“MCTs”). An “about” communication is one in which the selector of a targeted person (such as that person’s email address) is contained within the communication but the targeted person is not necessarily a participant in the communication. Rather than being “to” or “from” the selector that has been tasked, the communication may contain the selector in the body of the communication, and thus be “about” the selector. An MCT is an Internet “transaction” that contains more than one discrete communication within it. If one of the communications within an MCT is to, from, or “about” a tasked selector, and if one end of the transaction is foreign, the NSA will acquire the entire MCT through upstream collection, including other discrete communications within the MCT that do not contain the selector.
While PRISM has been the sexy target for complaints due to its name and connection to easy target tech companies, the upstream sifting through the backbone has always been the much more troubling program, and this report confirms that.

Unfortunately, unlike the PCLOB's report on the Section 215 program, here the PCLOB more or less throws up its hands over the possible legal and constitutional issues, insisting that it's probably fine or that violations are "incidental." The EFF has issued a scathing condemnation of the report, noting its most glaring weakness: a failure to recognize that the Constitution requires a warrant to collect any such data in the first place. The PCLOB seems to totally ignore this requirement, as the EFF points out:
The board skips over the essential privacy problem with the 702 “upstream” program: that the government has access to or is acquiring nearly all communications that travel over the Internet. The board focuses only on the government’s methods for searching and filtering out unwanted information. This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other Internet communications, steps that occur before the PCLOB analysis starts. This content collection is the centerpiece of EFF’s Jewel v. NSA case, a lawsuit battling government spying filed back in 2008.

The board’s constitutional analysis is also flawed. The Fourth Amendment requires a warrant for searching the content of communication. Under Section 702, the government searches through content without a warrant. Nevertheless, PLCOB’s analysis incorrectly assumes that no warrant is required. The report simply says that it “takes no position” on an exception to the warrant requirement when the government seeks foreign intelligence. The Supreme Court has never found this exception.

PCLOB findings rely heavily on the existence of government procedures. But, as Chief Justice Roberts recently noted: "the Founders did not fight a revolution to gain the right to government agency protocols." Justice Roberts’ thoughts are on point when it comes to NSA spying—mass collection is a general warrant that cannot be cured by government’s procedures.
Frankly, it does seem bizarre that the PCLOB fails to even consider the original collection and whether or not that violates the 4th Amendment. The Constitutional analysis in the report seems to leap over that question almost entirely, focusing just on the question of what the NSA hangs onto later. The brief discussion about the actual collection basically just says "well, this is tricky, because we're not looking at a single instance, but rather an entire program -- some of which may be Constitutional and some of which may be not, so we'll just lump it all together and see if it meets the "reasonable" test." That seems... questionable. If any part of the program is unconstitutional then that's a problem. You don't get to lump it all together and say that, on the whole, it's probably Constitutional because most of the searches and collection would likely be allowed. Even as such, the PCLOB says that the program -- especially the backdoor searches on Americans -- pushes the program "close to the line of constitutional reasonableness" but probably not over it.
These features of the Section 702 program, and their cumulative potential effects on the privacy of U.S. persons, push the entire program close to the line of constitutional reasonableness. At the very least, too much expansion in the collection of U.S. persons’ communications or the uses to which those communications are put may push the program over the line. The response if any feature tips the program over the line is not to discard the entire program; instead, it is to address that specific feature.
And, indeed, nearly all of the "recommendations" are to "address" minor aspects that the PCLOB finds to be potentially troubling, but without making any significant changes to the way either part of the program functions.

For example, concerning those "about" searches, the PCLOB basically says that it would be nice if they were limited, but that the NSA doesn't really have a way to do that, so, oh well, what can you do?
With regard to the NSA’s acquisition of “about” communications, the Board concludes that the practice is largely an inevitable byproduct of the government’s efforts to comprehensively acquire communications that are sent to or from its targets. Because of the manner in which the NSA conducts upstream collection, and the limits of its current technology, the NSA cannot completely eliminate “about” communications from its collection without also eliminating a significant portion of the “to/from” communications that it seeks. The Board includes a recommendation to better assess “about” collection and a recommendation to ensure that upstream collection as a whole does not unnecessarily collect domestic communications.
Similarly, the PCLOB notes that, despite all of the information the intelligence community was willing to share with it, that did not include details of how many US persons were impacted by the program:
The government is presently unable to assess the scope of the incidental collection of U.S. person information under the program. For this reason, the Board recommends several measures that together may provide insight about the extent to which communications involving U.S. persons or people located in the United States are being acquired and utilized.
So, in short, on some of the biggest questions in front of the PCLOB, it basically says "Well, there's not much we can do, but it would sure be nice if we had more info next time." Blech. Shouldn't those be the point at which the PCLOB says "Hey, wait, that's unacceptable and illegal and needs to be fixed!"

While at first, it did seem that the report was ignoring the privacy rights of non-US persons, it does actually include a fairly thorough section on such privacy rights, and how those rights actually do have some built-in protections under the program. While it's a low bar, it's at least moderately reassuring that the program is not, as some assumed, designed to say "non-US persons have no privacy rights whatsoever." The report also notes international law, and President Obama's newly issued rules for protecting the privacy rights of non-US persons, but notes that those rules have not yet been fully implemented and could change the analysis.

In the end, the report does provide some valuable clarifications and explanations of what's going on -- but it's disappointingly weak in the legal and Constitutional analysis. If you're interested in the specific recommendations of the PCLOB, we've included them below, above the embedded report.

Regarding Targeting and Tasking:  

  • Recommendation 1: The NSA’s targeting procedures should be revised to (a) specify criteria for determining the expected foreign intelligence value of a particular target, and (b) require a written explanation of the basis for that determination sufficient to demonstrate that the targeting of each selector is likely to return foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. The NSA should implement these revised targeting procedures through revised guidance and training for analysts, specifying the criteria for the foreign intelligence determination and the kind of written explanation needed to support it. We expect that the FISA court’s review of these targeting procedures in the course of the court’s periodic review of Section 702 certifications will include an assessment of whether the revised procedures provide adequate guidance to ensure that targeting decisions are reasonably designed to acquire foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. Upon revision of the NSA’s targeting procedures, internal agency reviews, as well as compliance audits performed by the ODNI and DOJ, should include an assessment of compliance with the foreign intelligence purpose requirement comparable to the review currently conducted of compliance with the requirement that targets are reasonably believed to be non-U.S. persons located outside the United States. 

Regarding U.S. Person Queries:  

  • Recommendation 2: The FBI’s minimization procedures should be updated to more clearly reflect the actual practice for conducting U.S. person queries, including the frequency with which Section 702 data may be searched when making routine queries as part of FBI assessments and investigations. Further, some additional limits should be placed on the FBI’s use and dissemination of Section 702 data in connection with non–foreign intelligence criminal matters. 
  • Recommendation 3: The NSA and CIA minimization procedures should permit the agencies to query collected Section 702 data for foreign intelligence purposes using U.S. person identifiers only if the query is based upon a statement of facts showing that it is reasonably likely to return foreign intelligence information as defined in FISA. The NSA and CIA should develop written guidance for agents and analysts as to what information and documentation is needed to meet this standard, including specific examples. 

Regarding the Role of the FISA Court: 

  • Recommendation 4: To assist in the FISA court’s consideration of the government’s periodic Section 702 certification applications, the government should submit with those applications a random sample of tasking sheets and a random sample of the NSA’s and CIA’s U.S. person query terms, with supporting documentation. The sample size and methodology should be approved by the FISA court. 
  • Recommendation 5: As part of the periodic certification process, the government should incorporate into its submission to the FISA court the rules for operation of the Section 702 program that have not already been included in certification orders by the FISA court, and that at present are contained in separate orders and opinions, affidavits, compliance and other letters, hearing transcripts, and mandatory reports filed by the government. To the extent that the FISA court agrees that these rules govern the operation of the Section 702 program, the FISA court should expressly incorporate them into its order approving Section 702 certifications. 

Regarding Upstream “About” Collection: 

  • Recommendation 6: To build on current efforts to filter upstream communications to avoid collection of purely domestic communications, the NSA and DOJ, in consultation with affected telecommunications service providers, and as appropriate, with independent experts, should periodically assess whether filtering techniques applied in upstream collection utilize the best technology consistent with program needs to ensure government acquisition of only communications that are authorized for collection and prevent the inadvertent collection of domestic communications.
  • Recommendation 7: The NSA periodically should review the types of communications acquired through “about” collection under Section 702, and study the extent to which it would be technically feasible to limit, as appropriate, the types of “about” collection. 

Regarding Accountability and Transparency: 

  • Recommendation 8: To the maximum extent consistent with national security, the government should create and release, with minimal redactions, declassified versions of the FBI’s and CIA’s Section 702 minimization procedures, as well as the NSA’s current minimization procedures. 
  • Recommendation 9: The government should implement five measures to provide insight about the extent to which the NSA acquires and utilizes the communications involving U.S. persons and people located in the United States under the Section 702 program. Specifically, the NSA should implement processes to annually count the following: (1) the number of telephone communications acquired in which one caller is located in the United States; (2) the number of Internet communications acquired through upstream collection that originate or terminate in the United States; (3) the number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work; (4) the number of queries performed that employ U.S. person identifiers, specifically distinguishing the number of such queries that include names, titles, or other identifiers potentially associated with individuals; and (5) the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals. These figures should be reported to Congress in the NSA Director’s annual report and should be released publicly to the extent consistent with national security. 

Regarding Efficacy 

  • Recommendation 10: The government should develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs.

Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Jul 2nd, 2014 @ 7:58am

    This is the most dangerous one of the two, so I imagine the NSA/Obama admin pushed a lot harder to influence the review board here and give it a good grade to make the population think that everything is A-OK.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Michael, Jul 2nd, 2014 @ 8:12am

    And the "Captain Obvious - 2014" award goes to:

    The government should develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 2nd, 2014 @ 8:38am

    Every MAJOR problem with society...

    Begins with the words

    The Government SHOULD...!

    The PCLOB shows that they have no value and that we are paying people with our Taxes to be WORTHLESS!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    sorrykb (profile), Jul 2nd, 2014 @ 8:47am

    Interesting cover page

    So... the cover of this report, with the title superimposed on the Constitution... Is that intentional irony?

    (On second thought, maybe they're just highlighting the attempts of the program to overwrite the Constitution.)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 2nd, 2014 @ 8:52am

    PCLOB = Privacy of Citizens Lobbed out of the window

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Donnicton, Jul 2nd, 2014 @ 9:06am

    It sounds like someone got leaned on after the last report, so they are now a little more open to the idea of gross invasions of privacy.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 2nd, 2014 @ 10:03am

    Maybe they think it doesn't/won't affect them.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    AnonyBabs, Jul 2nd, 2014 @ 12:20pm

    Ohhhhhhhhh, I think I get it now: all these panels/committees are using the other definition of "oversight".

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    That One Guy (profile), Jul 2nd, 2014 @ 12:43pm

    Horse-trading at it's finest

    I can't help but think, this coming out so soon after the report regarding the program was pried loose, if a little 'tit for tat' went on behind the scenes, where in exchange for drastically softening the report, the DoJ/NSA promised to release the statistics redaction free.

    Alternatively, it could be that after the first report, which did not go how the WH meant it to after forming the group in the first place, the WH/NSA leaned, hard on the group to make sure that this report came out 'correctly'.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 2nd, 2014 @ 6:51pm

    May a suggest a slight alteration of their name to improve the accuracy: Privacy and Civil Liberties Obolishment Board

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 2nd, 2014 @ 7:35pm

    How can searching and seizing the contents of every single American's communications without a warrant, not be considered unconstitutional.

    We can't even say the NSA is using general warrants, because no warrants are being issued at all!

    The US Government preaches about how isolationism is bad, and globalization is good. Then turns around and says if we communicate with anyone outside our country, we forfeit our Constitutional rights.

    In reality, I know it doesn't matter if we keep our communications strictly inside the US border. The NSA is going to search and seize them without a warrant anyway. Then hand those warrant-lessly seized communications over the FBI, who will then proceed to parallel reconstruct the evidence for use in court.

    It's all a big farce. Just like it's a farce the Privacy and Civil Liberties Oversight Board is singing a completely different tune compared to their first report that found all this unconstitutional. Now they're skipping completely over the 4th Amendment and stating that everything looks perfectly legal and up to snuff.

    They must have got a major ass chewing from the Executive Branch after that first report they released which actually stated the truth.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      GEMont (profile), Jul 3rd, 2014 @ 8:35pm

      Re:

      The power and beauty of blackmail as a means of creating consent is: The victims never report the crime.

      Every day, in every way, the Federal Government looks more and more like the MAFIA.

      Looks like a century of untaxed drug proceeds have allowed the mob to move into politics big time. :)

      I expect this new "Sudden Capitulation Syndrome" will become a standard occurrence during all of the up and coming "negotiations" and "investigations", such as surveillance legality and trade agreement based copyright legislation.

      After all, it works.

       

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.