FAA Extension: The Data Gaps about Our Data Collection

As I noted the other day, part of the point of the language Ron Wyden got declassified the other day seemed to be to call out a misrepresentation in Dianne Feinstein’s Additional Views in the Senate Intelligence Report on the extension of the FISA Amendments Act. DiFi had claimed that “the FISA Court … has repeatedly held that collection carried out pursuant to the Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment.” She neglected to mention that, “on at least one occasion the Foreign Intelligence Surveillance Court held that some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment.”

But since Wyden pointed back to that language, I wanted to note something else in the paragraph in which DiFi’s misleading claim appears: She suggests there is substantial reporting on the program.

This oversight has included the receipt and examination of over eight assessments and reviews per year concerning the implementation of FAA surveillance authorities, which by law are required to be prepared by the Attorney General, the Director of National Intelligence, the heads of various elements of the intelligence community, and the Inspectors General associated with those elements. In addition, the Committee has received and scrutinized un- redacted copies of every classified opinion of the Foreign Intelligence Surveillance Court (FISA Court) containing a significant construction or interpretation of the law, as well as the pleadings submitted by the Executive Branch to the FISA Court relating to such opinions.

[snip]

Third, the numerous reporting requirements outlined above provide the Committee with extensive visibility into the application of these minimization procedures and enable the Committee to evaluate the extent to which these procedures are effective in protecting the privacy and civil liberties of U.S. persons. [my emphasis]

But in her sentence claiming the FISA Court keeps approving the program, she reveals that the Court is not getting all those reports.

Notably, the FISA Court, which receives many of the same reports available to the Committee, has repeatedly held that collection carried out pursuant to the Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment.

[my emphasis]

The Court receives “many” of the same reports. Which suggests it doesn’t see all of them.

That comment is all the more interesting because of something Pat Leahy said at least week’s Senate Judiciary Committee mark-up of the bill.

Congress has been provided with information related to the implementation of the FISA Amendments Act, along with related documents from the FISA Court. Based on my review of this information, and after a series of classified briefings, I do not believe that there is any evidence that the law has been abused, or that the communications of U.S. persons are being intentionally targeted.

[snip]

My views about the implementation of these surveillance authorities are based on the information we have available now – but there is more that we need to know. For example, important compliance reviews have not yet been completed by the Inspectors General of the Department of Justice or the NSA. And there has never been a comprehensive, independent inspector general review of FISA Amendments Act implementation that cuts across the intelligence community, and that is not confined to one particular element or agency. Without the benefit of such independent reviews, I am concerned that a five-year extension is too long.  [my emphasis]

Here’s what the Inspectors General are supposed to report (basically, they’re supposed to make sure the government is doing what it says it is, and track some–but not the most important–US collection):

The Inspector General of the Department of Justice and the Inspector General of each element of the intelligence community authorized to acquire foreign intelligence information under subsection (a), with respect to the department or element of such Inspector General—

(A) are authorized to review compliance with the targeting and minimization procedures adopted in accordance with subsections (d) and (e) and the guidelines adopted in accordance with subsection (f);

(B) with respect to acquisitions authorized under subsection (a), shall review the number of disseminated intelligence reports containing a reference to a United States-person identity and the number of United States-person identities subsequently disseminated by the element concerned in response to requests for identities that were not referred to by name or title in the original reporting;

(C) with respect to acquisitions authorized under subsection (a), shall review the number of targets that were later determined to be located in the United States and, to the extent possible, whether communications of such targets were reviewed;

Which is interesting because, in addition to adding a general review of the FAA collection and use by the Intelligence Inspector General, Leahy’s substitute amendment tweaked the language on IG reviews, as well.

In addition to requiring the IGs to count the number of targets later found to be located in the US, Leahy also required them to count how many US persons had been targeted, such that (C) would read,

(C) with respect to acquisitions authorized under subsection (a), shall review the number of targets that were later determined to be United States persons or located in the United States and, to the extent possible, whether communications of such targets were reviewed; [my emphasis]

More interesting still, he changes the language describing which agencies will undertake such reviews (and it’s a change in language he makes elsewhere in one or two places). Rather than requiring reviews from agencies that are “authorized to acquire foreign intelligence information,” he requires it from agencies “with targeting or minimization procedures approved under this section.” So the introductory paragraph in this section would read,

The Inspector General of the Department of Justice and the Inspector General of each element of the intelligence community with targeting or minimization procedures approved under this section, with respect to the department or element of such Inspector General— [my emphasis]

Though note, the language in paragraph C still refers to acquisitions.

This seems to suggest there are agencies (the NSA) that are authorized to acquire all this telecom traffic. And then there are agencies (FBI, intelligence agencies at DOD, DEA) that have “minimization” procedures–that is, that actually access and use the information. And Leahy’s trying to make sure we get reporting from both types of agencies.

All of which seems to pertain to something Julian Sanchez wrote about here. Not only doesn’t “targeting” mean what you would think it means. But minimization doesn’t either.

Communications aren’t “minimized” until they’re reviewed by human analysts—and given the incredible volume of NSA collection, it’s unlikely that more than a small fraction of what’s intercepted ever is seen by human eyes. Yet in the statements above, we have two intriguing implications: First, that “collection” and “minimization” are in some sense happening contemporaneously (otherwise how could “collection” be “pursuant to” minimization rules?) and second, that these procedures are somehow fairly intimately connected to the question of “reasonableness” under the Fourth Amendment.

To make sense of this, we need to turn to the Defense Department’s somewhat counterintuitive definition of “collection” for intelligence purposes. As the Department’s procedures manual explains:

Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties…. Data acquired by electronic means is “collected” only when it has been processed into intelligible form.

This dovetails with a great deal of what we know about recent NSA surveillance, in which enormous quantities of communications are stored in a vast database codenamed Pinwale for later analysis.

[snip]

The language of these statements, however, would be consistent with the clever “solution” former NSA employees and whistleblowers like Bill Binney have long been telling us the agency has adopted. Referring to a massive data storage facility being constructed by NSA in Utah, Binney writes:

The sheer size of that capacity indicates that the NSA is not filtering personal electronic communications such as email before storage but is, in fact, storing all that they are collecting. The capacity of NSA’s planned infrastructure far exceeds the capacity necessary for the storage of discreet, targeted communications or even for the storage of the routing information from all electronic communications. The capacity of NSA’s planned infrastructure is consistent, as a mathematical matter, with seizing both the routing information and the contents o all electronic communications.

Binney argues that when NSA officials have denied they are engaged in broad and indiscriminate “interception” of Americans’ communications, they are using that term “in a very narrow way,” analogous to the technical definition of “collection” above, not counting an e-mail or call as “intercepted” until it has been reviewed by human eyes. On this theory, the entire burden of satisfying the Fourth Amendment’s requirement of “reasonableness” is borne by the “minimization procedures” governing the use of the massive Pinwale database. On this theory, the constitutional “search” does not occur when all these billions of calls and emails are actually intercepted (in the ordinary sense) and recorded by the NSA, but only when the database is queried.

So here’s what I take away from all this.

First, there’s no requirement that the agencies track when Americans get targeted (whether overseas or in the US), which, remember, is different than Americans having their communications read as part of “minimization.”

Second, it seems possible that some agencies aren’t doing this kind of reporting at all, because they technically can’t “acquire” but they can “minimize” (that is, acquire) contacts.

Third, the two most important agencies–NSA and FBI–have not submitted some of the compliance reviews. So, for example, we don’t know whether FBI has been minimizing (that is, acquiring) contacts from Americans willy nilly.

Fourth, the FISA Court may not even see all of what Congress sees. And even without it, the Court found the government to be violating the Fourth Amendment at least once.

Fifth, no one has ever looked at how all this fits together, how what we would call acquisition fits together with minimization (which is when the government seems to claim “acquisition” happens). Which given that it appears the end users–the people who acquire under the name of minimization–seem to be the only ones who find out if the program is picking up Americans, means we don’t know how often the collection process ends up collecting on US persons.

Finally, in spite of all of these data gaps, they’re just going to extend the program for another three (or probably five, after it gets through Congress) anyway.

For a bunch of elected representatives purportedly trying to make sure we get the information we need, they seem to be in a rush to renew this program without the information we need.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

13 replies
  1. MadDog says:

    This also fits with the US government’s repeated “explanation” that they cannot report on the number of US persons’ communications that have been “collected”, and that attempting to do so would violate the privacy rights of US persons.

    First, it would require acknowledging a politically untenable and damning admission that they are collecting everything!

    No matter how hard they tried to come up with palatable explanation were they required to explain this to the American public, the realists among them would admit to themselves that no such explanation is even possible.

    They face a real-world Hobson’s choice: Either grab all of the data, and with it, the potential of acquiring electronic fingerprints of terrorism activities, crimes, or other misdeeds, or electronically “blind” themselves to the increasingly electronic world around them.

    A second observation is that they have adopted the fatally flawed theory that it is technologically possible to “know it all”. By that I mean, they have adopted the belief that it is possible to collect all communications, and that future technology advances will magically keep ahead of the ever increasing digital world expansion.

    This is akin to the magical kind of thinking that some retain from their childhood. That is, if I really, really like cookies, then the most joyous thing imaginable is to eat cookies every waking moment for the rest of one’s life. Actually practicing such an endeavor would in the minds of the rational be laughingly absurd. Not apparently so for the US government!

  2. lefty665 says:

    @MadDog: “A second observation is that they have adopted the fatally flawed theory that it is technologically possible to “know it all”. By that I mean, they have adopted the belief that it is possible to collect all communications, and that future technology advances will magically keep ahead of the ever increasing digital world expansion.

    This is akin to the magical kind of thinking that some retain from their childhood. That is, if I really, really like cookies, then the most joyous thing imaginable is to eat cookies every waking moment for the rest of one’s life. Actually practicing such an endeavor would in the minds of the rational be laughingly absurd. Not apparently so for the US government!”

    Uh, pardon me, but did you read Binney’s quote? Have you not been listening to what he Drake and other ex-NSAers have been saying? Did you not see Bamford’s article on Beef Hollow Rd?

    Do you have any technical cred to support your snarky and, from what we have heard from people with qualifications, silly conclusions?

    NSA had it’s first terrabyte storage in the late 60’s, It was about the size of a small closet and slow. Today that Tb will fit easily in the palm of a baby’s hand, and access is fast.

    Beef Hollow Rd. is several times larger than the Capitol. Care to extrapolate how many of those smaller than a baby’s palm “cookies” can be stored there?

    Think Carl Sagan, “Billions and billions”. Perhaps you will re-think (I’m being charitable) your foolish denigration of the folks who comprise our “national technical means”.

    I do not have to like what they’re doing to respect their capabilities. Paying attention to what they could do in the past can give us a sense of their current abilities. That can also give us a rational approximation of the future. To do otherwise would be “laughably absurd”.

  3. emptywheel says:

    @MadDog: I think that’s behind Leahy’s change in language. If the IGs are required to at least track how many US persons are caught up (though it appears that only applies to the original acquisition, not the “minimization-as-acquisition”), then we’ll begin to get that number.

  4. lefty665 says:

    @emptywheel: @emptywheel:

    MadDog has it right in his second paragraph “they are collecting everything!”… and have been, and will continue to do so using money we pay in taxes and loans from the Chinese to build the capability.

    The number is not hard to know, around 300 million domestically, and an unknown multiple of that globally.

    As you note, all the rest is semantic games dancing around that reality.

  5. MadDog says:

    @lefty665:

    “…Uh, pardon me, but did you read Binney’s quote? Have you not been listening to what he Drake and other ex-NSAers have been saying? Did you not see Bamford’s article on Beef Hollow Rd?

    Do you have any technical cred to support your snarky and, from what we have heard from people with qualifications, silly conclusions?…”

    Ummm…why yes. I have over 30 years of experience in computing.

    “…NSA had it’s first terrabyte storage in the late 60′s, It was about the size of a small closet and slow. Today that Tb will fit easily in the palm of a baby’s hand, and access is fast.

    Beef Hollow Rd. is several times larger than the Capitol. Care to extrapolate how many of those smaller than a baby’s palm “cookies” can be stored there?…

    Storage of stuff means absolutely nothing. Packrats store stuff and that is exactly what our government technologists (and their private sector computing companies who want to sell them their products) are. Packrats! Doing anything useful with TBs of stored data is another thing altogether.

    Dream on.

  6. ondelette says:

    The model to keep in mind is one of cyberspace-time, that is, cyberspace that is stored with a time component so that it extends into the past. In such a place, as in physical space, a surveillance looks like looking at someone with binoculars. Pointing the binoculars at them is targeting, looking through the binoculars and seeing something is acquiring, restricting the binoculars to only seeing what you’re supposed to look at is minimization.

    Coherently explaining such a model to an oversight committee will convince them that the practitioners need the laws which set it up, are not abusing the laws if they stick to it, and need the model if they can show useful products, because the model is holistic.

    The Congress approved part of it with the Patriot Act, and part with the FAA, and the FISC approved part with an acknowledgement before the FAA that storing data was not surveilling it, even though at some point in the not so distant past it had been. Other parts have been accreted along the way.

    The interaction of this social contract with the social contract of the physical world is horrendous and exploitative, but will not seem so from the frame of cyberspace or of the physical world, only from the frame of the interacting boundary. That’s why it’s so easy for the intelligence community to lull Congress, for the commercial community to lull the consumers, and for the rights and minds of the individuals to now slip away at an ever increasing pace.

  7. lefty665 says:

    @jerryy: Thank you. Good links.

    It’s an amazing world. Data doubling every 40 months since 1980 is profound. It’s fast enough to keep folks in the business of keeping track of it on their toes.

    I got my first hard drives in about 1980. The disk cabinet held 2 2.5mb 14″ platters, one fixed, one removable. They were a couple of thousand dollars a meg. Today I’m getting 2Tb drives for under a hundred bucks,that’s less than the hard shell case for the removable drive cost in 1980. It looks like storage and access have more than kept up with data.

    Processing may be more difficult, but it is reasonable to believe advances on a similar scale are achievable.

  8. lefty665 says:

    @MadDog: “Storage of stuff means absolutely nothing. Packrats store stuff and that is exactly what our government technologists… are. Packrats! Doing anything useful with TBs of stored data is another thing altogether.

    Dream on.”

    Actually, it’s more a nightmare than a dream.

    There are lots of ways to use data. Some is predictive, like having the drone at the right intersection at the right time to terminate you with prejudice for running another red light. Some is associative, which seems to be the basis of our “Signature strikes”. Better hope we don’t order pizza from the same place as bad guys, go to the same gym and shop at the same Target.

    I don’t pretend to know “big data”, but it is not hard to see that huge masses of data can be filtered and associated. Also, looking back at today’s data with tomorrow’s tools and perspective will surely reveal things we cannot anticipate today. My examples do not even begin to scratch the ways data can be tickled to reveal “useful” information. They are however simple illustrations of how data collection is more than “packratism”.

    Have there been boondoggles? You betchya, Drake and Binney have related them. NSA and bidness friends should be severely and profoundly embarrassed, if not indicted. But to extrapolate from there that all data collection is mindless “packratting” by gov’t technocrats, and their for profit toadies, is mind bogglingly simple minded.

    “future technology advances will magically keep ahead of the ever increasing digital world expansion.”

    Well yes, the chances are pretty good it will. NSA has been doing automated key word traffic analysis for around 60 years. From WWII on they have had the largest collection of computers in the world. Things got tough for them in the ’90s with end of cold war funding cuts and changes in communications technology. Changing their cold war focus from Russia to hundreds of nations and dialects was a challenge. Since 9/11 they seem to have had the funding and assigned mission to address those issues, and more. It’s the “and more” part that’s scary.

    Looking back over the years it’s seemed they’ve had technical capabilities 2-3 generations (Moore’s law: {crudely} Density doubles every 18 months, 2 generations in 36 months is a 4-1 change. Therefore, everything 3 years old is obsolete) ahead of us civilians. A rough example we can all see is using the IT stuff we have today to massage all the data available on 9/11. There was less than one bit then for every byte today. Might even be able to count it in Tb instead of PB. (Intel was selling single core chips that ran so hot you could fry eggs on them, and they hadn’t even dreamed about integrating hardware spy, remote bricking and OOB comm when the computer’s turned “off” on the cpu die. Y2k fear was subsiding.) Doesn’t seem so daunting, sorta quaint and naive really. Figure NSA’s got around that same jump on today’s data.

    The original topic was that it’s apparent that NSA is “acquiring” just about everything, and that semantic games and impossibly fine definitions are being used to obscure and deflect scrutiny. To trivialize that discussion by equating massive and invasive collection to a baby wanting to eat cookies all the time, or demeaning the people who do the collecting as packrats, precludes reasonable discussion. I might as well go listen to Rush.

    You and I have apparently been at this IT stuff for a long time. Maybe we should talk, together we might put together half a brain. We could at least swap war stories… “Why things were so primitive when I started they hadn’t even invented floppy disks.” “That’s nothing, I had to slice up old stone wheels for media and sweep up iron filings from the spear point factory floor for magnetic plating…”

  9. P J Evans says:

    @lefty665:
    I’m reading ‘packratting’ as being collecting and holding onto everything they can get now, thinking that it will be useful Real Soon Now (meaning some indefinite time in the future). It has to be stored somewhere, meanwhile.

  10. lefty665 says:

    @P J Evans: Yes. “real soon now” can be anywhere from later this afternoon to years. Beef Hollow Rd is where it is all going, in addition to where it is now.

    Predicting which piece of data will turn out to be crucial, or when is a mugs game.

    An example, ca 2002, an al-Qaeda safe house in the middle east was identified. Communications to or from that location before it was identified were not worth doing anything more with than archiving. That “packratted” data got a lot of human eyeballs in a hurry after the location was fingered. It produced actionable information. (Bamford – Pretext for war).

    Suggesting that we’re safe because they’re such bozos they won’t ever be able to analyze what they’re collecting is at best disingenuous.

    I believe that “collecting”, analyzing (even automated), and saving every bit, byte, keystroke and syllable for future data mining and associating with commercial records and increasing public surveillance destroys the 4th amendment.

    What I was objecting to was ridiculing, trivializing and ad hominem demeaning that does not help anyone understand the issues or further the discussion.

  11. MadDog says:

    @lefty665: No, I made no such “ridiculing, trivializing and ad hominem demeaning” statements. It was you who made such statements as in:

    “…Do you have any technical cred to support your snarky and, from what we have heard from people with qualifications, silly conclusions?…”

    (My Bold)

    My use of “the child eating cookies” statement was an analogy that I still believe is fitting. It was neither meant to ridicule, trivialize, nor demean by ad hominem.

    Instead it was meant to convey the meaning of something being unrealistic. Nothing more.

    I insist that my point about the US government trying to effectively analyze the masses of data they collect is in my opinion a task that is not possible simply because the huge masses of data collected cannot even be effectively tagged, indexed, and searched. And as the amount of data collected increases over time, the ability to tag, index, and search continues to diminish as a function of time.

    I still hold that opinion despite your commentary, and I am not demeaning your right to have a different opinion. We perhaps disagree about the ability of computer technologists and the capability of computing programs, but that is not the same thing as “ridiculing, trivializing and ad hominem demeaning” declarations.

    My position is that the US government and its technologists collect these huge masses of data because they can.

    My position is also that they are being laughably absurd to think that they can ever effectively analyze it. I take this position as one who has spent a lifetime trying to understand the implications and capabilities of both computing technology and the humans who attempt to harness it.

  12. MadDog says:

    @MadDog: And a further point that needs to be made – I believe the US government will (and does) attempt to effectively analyze these huge and growing masses of data they collect.

    I don’t believe they are or will be successful though they will claim otherwise if only to keep the money flowing to their already gigantic budgets. Failure will never be admitted.

Comments are closed.