More documents have been yanked out of the NSA's hands, thanks to a New York Times FOIA lawsuit
. The documents are from 2007, and they further detail the agency's warrantless surveillance program which swept up not only phone numbers but also email addresses and content. The program wasn't actually legal at the time it rolled out. It took the FISA Amendments Act of 2008 to codify this. In the meantime, the agency used interim legislation (2007's Protect America Act) and some hubris to enhance its haystacking business.
The previously-released FISA order
from April of 2007 contains a rare moment of hesitation by a FISA judge (Roger Vinson), who didn't buy the NSA's arguments that a phone number or email address could be a "facility" in and of itself. Rather than use the standard definition of a "facility" -- that being a base of operations -- the NSA chose to read it as an impossible combination of noun and verb. An email address is a "facility" because it "facilitates communications." Vinson wasn't too impressed with this, or the fact that the application didn't contain much in the way of probable cause. As he noted, the NSA's intention was to collect both sets of data in bulk, far from the targeted surveillance it attempted to portray in its application.
The May 2007 order
(also by Roger Vinson) shows that the NSA found a way to get its aims accomplished, despite Vinson's reluctance. A "new legal theory" was offered by the agency in an amended application and buttressed by Keith Alexander's declaration that it was all totally legal.
Unfortunately, the order doesn't detail the NSA's legal theory, or at least not in any visible way. Vinson's musings on the NSA's Plan B turns out to be a bunch of wasted typing. His declaration that on the "basis of facts submitted by the applicant, there is probable cause to believe that...:" is followed by four completely redacted pages.
Following that, Vinson authorizes the NSA's "roving, multipoint" surveillance, based on the opinion that Congress would
have authorized that (and apparently pretty much anything else it may or may not have conceived of) considering the "Government's national security interests are so great." This rationale again. And again, presented by an agency whose livelihood depends on the depiction of security threats as perennially "great" and everlasting. Vinson also agreed to contact-chaining using these numbers and email addresses as selectors. As a remedy for possibly illegal surveillance, the FISA court offers nothing more than fixes after the fact.
This holding, albeit novel, is consistent with the overall statutory requirements; it requires the Government to report and provide appropriate justification to the Court; and it supplies the Government with a necessary degree of agility and flexibility in tracking the targeted foreign powers. This Court will be able to ultimately determine whether the electronic surveillance was proper.
The FISA court authorizes a rolling 21-day grace period to report on any new numbers/email addresses added to the NSA's collections, from which the FISA judges would determine whether sufficient probable cause exists to continue surveillance. Better than nothing, but still a three-week "free swim" for analysts.
One stipulation stands out, though.
Unconsented physical entry is not authorized to implement the electronic surveillance approved herein.
The NSA isn't known for physically tapping phones or planting bugs
(at least not here in the US… and at least not to our knowledge at this point). It's a requirement that does the agency no harm. But the hypothetical question raised by this is: does "unconsented physical entry" cover things like the interception
of US tech companies' products in order to insert backdoors and malware? It won't be discussed here because this only deals with the NSA's roving, targeted/bulk surveillance hybrid. But it's something to keep in mind for future document releases.
This order is also added the FBI to the NSA's surveillance CC: list.
Information that is not foreign intelligence information, but reasonably appears to be evidence of a crime that has been, is being, or is about to be committed, may be disseminated (including United States person identities) to the FBI and other appropriate federal law enforcement authorities, in accordance with 50 U.S.C. 1806(b), Executive Order No. 12333…
And so, the domestic surveillance that wasn't (this order -- and past ones -- draws a very clear line between foreign targets and known US persons) becomes a handy tool for domestic surveillance. As the court notes earlier in the order, because of where the communications and data are collected, there's no real way to separate US/non-US data without digging through the collection. When it's discovered, minimization procedures are to apply -- except, apparently, if it can hand the data/communications off to the FBI. (The CIA, on the other hand, gets everything
, domestic or foreign, apparently only subject to the NSA's discretion.)
Again, this entire line of surveillance still hadn't been determined to be completely legal. It took the FISA Amendments Act to codify this particular program. Despite that, it was approved anyway, thanks to the NSA's willingness to explore as many legal theories as necessary in order to secure the FISA judge's approval.
That's the problem with these two orders. We don't get to see the NSA's legal wranglings. Those are redacted. And what is actually revealed doesn't explain much. The May 2007 order notes that the NSA's arguments are still on shaky ground and the earlier (and much longer) April order handles the entirety of the agency's legal discussions on its contact-chaining of unrelated "facilities" in a single paragraph
In this case, the Government has also asked for specific authority to acquire certain electronic communications that relate to or refer to an e-mail [redacted] that is targeted for surveillance under this Order. For example, the Government argues that it should be allowed to acquire any e-mail communication that mentions a targeted e-mail [redacted] even though the communication is to and from other e-mail [redacted] not currently under electronic surveillance. After careful consideration of the Government's arguments, the Court holds that, in the limited and carefully considered circumstances described below, there is probable cause to believe that internet communications relating to a previously targeted e-mail [redacted] are themselves being sent and/or received by one of the targeted foreign powers, and thus those communications may be acquired by the NSA.
And there goes any hope that the collection would be targeted. Simply mentioning a targeted email in the body of an email message is enough "probable cause" for the FISA court, which goes on to note that it's perfectly OK (in the search for supporting probable cause) for the agency to read nearly any communication that crosses its desk, provided it's within a step or two of its selectors.
The NSA didn't get to where it is today overnight. It took a decade of legal wrangling and the steadfast assertion that the terrorist threat to the US is just as strong as it was September 10, 2001. With the assistance of obliging courts and sympathetic legislators, the NSA has become a data and communications behemoth, sucking in vast quantities of both from all over the world.