As expected, the Privacy and Civil Liberties Oversight Board (PCLOB) has now issued its analysis of the Section 702 surveillance done by the NSA
(and, as revealed earlier this week, passed on to the FBI and CIA
). You may recall that, back in January, the PCLOB issued a scathing report
about the NSA's Section 215 bulk data collection efforts, calling the program both
illegal and unconstitutional. In contrast, the report on the 702 program is much
more muted -- claiming that the program is constitutional, legal and
effective as a counterterrorism tool. Like the previous report, this new one is highly readable -- and I recommend reading it in its entirety. However, the legal analysis is disappointing compared to the earlier report.
The report details how the program works, in a manner that doesn't really reveal too much that's new for folks who have been following all of the details over the past year, but does confirm the basics of how the Section 702 collections work -- something that many, many
people seem to be confused about. In short, the Section 702 program is made up of two different collections of information. The first is the infamous PRISM program, which is not as broad as many people have believed in the past. This is when, under FISA Court approval, various internet companies are given certain "selectors" related to non-US persons, and those companies are compelled to hand over the communications to or from that person:
In PRISM collection, the government sends a selector, such as an email address, to a
United States-based electronic communications service provider, such as an Internet
service provider (“ISP”), and the provider is compelled to give the communications sent to
or from that selector to the government. PRISM collection does not include the acquisition
of telephone calls. The National Security Agency (“NSA”) receives all data collected through
PRISM. In addition, the Central Intelligence Agency (“CIA”) and the Federal Bureau of
Investigation (“FBI”) each receive a select portion of PRISM collection.
This is different from the much more troubling "upstream" collection, which comes from directly tapping the internet backbone and basically sifting through everything possible to see if any triggers are hit. This is where the infamous "about"
triggers are included. As we've been discussing, the NSA doesn't just collect communications to and from targets, but also "about" them -- and that all happens at the upstream level, rather than PRISM. Upstream is also where the NSA is able to collect audio communications as well.
Upstream collection differs from PRISM collection in several respects. First, the
acquisition occurs with the compelled assistance of providers that control the
telecommunications “backbone” over which telephone and Internet communications
transit, rather than with the compelled assistance of ISPs or similar companies. Upstream
collection also includes telephone calls in addition to Internet communications. Data from
upstream collection is received only by the NSA: neither the CIA nor the FBI has access to
unminimized upstream data. Finally, the upstream collection of Internet communications
includes two features that are not present in PRISM collection: the acquisition of so-called
“about” communications and the acquisition of so-called “multiple communications
transactions” (“MCTs”). An “about” communication is one in which the selector of a
targeted person (such as that person’s email address) is contained within the
communication but the targeted person is not necessarily a participant in the
communication. Rather than being “to” or “from” the selector that has been tasked, the
communication may contain the selector in the body of the communication, and thus be
“about” the selector. An MCT is an Internet “transaction” that contains more than one
discrete communication within it. If one of the communications within an MCT is to, from,
or “about” a tasked selector, and if one end of the transaction is foreign, the NSA will
acquire the entire MCT through upstream collection, including other discrete
communications within the MCT that do not contain the selector.
While PRISM has been the sexy target for complaints due to its name and connection to easy target tech companies, the upstream sifting through the backbone has always been the much more troubling program, and this report confirms that.
Unfortunately, unlike the PCLOB's report on the Section 215 program, here the PCLOB more or less throws up its hands over the possible legal and constitutional issues, insisting that it's probably fine or that violations are "incidental." The EFF has issued a scathing condemnation of the report
, noting its most glaring weakness: a failure to recognize that the Constitution requires a warrant to collect any such data in the first place. The PCLOB seems to totally ignore this requirement, as the EFF points out:
The board skips over the essential privacy problem with the 702 “upstream” program: that the government has access to or is acquiring nearly all communications that travel over the Internet. The board focuses only on the government’s methods for searching and filtering out unwanted information. This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other Internet communications, steps that occur before the PCLOB analysis starts. This content collection is the centerpiece of EFF’s Jewel v. NSA case, a lawsuit battling government spying filed back in 2008.
The board’s constitutional analysis is also flawed. The Fourth Amendment requires a warrant for searching the content of communication. Under Section 702, the government searches through content without a warrant. Nevertheless, PLCOB’s analysis incorrectly assumes that no warrant is required. The report simply says that it “takes no position” on an exception to the warrant requirement when the government seeks foreign intelligence. The Supreme Court has never found this exception.
PCLOB findings rely heavily on the existence of government procedures. But, as Chief Justice Roberts recently noted: "the Founders did not fight a revolution to gain the right to government agency protocols." Justice Roberts’ thoughts are on point when it comes to NSA spying—mass collection is a general warrant that cannot be cured by government’s procedures.
Frankly, it does seem bizarre that the PCLOB fails to even consider the original collection and whether or not that violates the 4th Amendment. The Constitutional analysis in the report seems to leap over that question almost entirely, focusing just on the question of what the NSA hangs onto later. The brief discussion about the actual collection basically just says "well, this is tricky, because we're not looking at a single instance, but rather an entire program -- some of which may be Constitutional and some of which may be not, so we'll just lump it all together and see if it meets the "reasonable" test." That seems... questionable. If any part of the program is unconstitutional then that's a problem. You don't get to lump it all together and say that, on the whole, it's probably Constitutional because most of the searches and collection would likely be allowed. Even as such, the PCLOB says that the program -- especially the backdoor searches on Americans -- pushes the program "close to the line of constitutional reasonableness" but probably
not over it.
These features of the Section 702 program, and their cumulative potential effects on
the privacy of U.S. persons, push the entire program close to the line of constitutional
reasonableness. At the very least, too much expansion in the collection of U.S. persons’
communications or the uses to which those communications are put may push the program
over the line. The response if any feature tips the program over the line is not to discard the
entire program; instead, it is to address that specific feature.
And, indeed, nearly all of the "recommendations" are to "address" minor aspects that the PCLOB finds to be potentially
troubling, but without making any significant changes to the way either part of the program functions.
For example, concerning those "about" searches, the PCLOB basically says that it would be nice if they were limited, but that the NSA doesn't really have a way to do that, so, oh well, what can you do?
With regard to the NSA’s acquisition of “about” communications, the Board
concludes that the practice is largely an inevitable byproduct of the government’s efforts to
comprehensively acquire communications that are sent to or from its targets. Because of
the manner in which the NSA conducts upstream collection, and the limits of its current
technology, the NSA cannot completely eliminate “about” communications from its
collection without also eliminating a significant portion of the “to/from” communications
that it seeks. The Board includes a recommendation to better assess “about” collection and
a recommendation to ensure that upstream collection as a whole does not unnecessarily
collect domestic communications.
Similarly, the PCLOB notes that, despite all of the information the intelligence community was willing to share with it, that did not
include details of how many US persons were impacted by the program:
The government is presently unable to assess the scope of the incidental collection
of U.S. person information under the program. For this reason, the Board recommends
several measures that together may provide insight about the extent to which
communications involving U.S. persons or people located in the United States are being
acquired and utilized.
So, in short, on some of the biggest questions in front of the PCLOB, it basically says "Well, there's not much we can do, but it would sure be nice if we had more info next time." Blech. Shouldn't those be the point at which the PCLOB says "Hey, wait, that's unacceptable and illegal and needs to be fixed!"
While at first, it did seem that the report was ignoring the privacy rights of non-US persons, it does actually include a fairly thorough section on such privacy rights, and how those rights actually do have some built-in protections under the program. While it's a low bar, it's at least moderately reassuring that the program is not, as some assumed, designed to say "non-US persons have no privacy rights whatsoever." The report also notes international law, and President Obama's newly issued rules for protecting the privacy rights of non-US persons, but notes that those rules have not yet been fully implemented and could change the analysis.
In the end, the report does provide some valuable clarifications and explanations of what's going on -- but it's disappointingly weak in the legal and Constitutional analysis. If you're interested in the specific recommendations of the PCLOB, we've included them below, above the embedded report.