False Prophet of Adequate Congressional Oversight Finds Congressional Ignorance Unnewsworthy
I was going to leave this post, in which Ben Wittes complains that WaPo published details of NSA’s collection of millions of contact lists, which he didn’t find at all newsworthy, well enough alone.
Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already.
So what does this story reveal that we didn’t already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can’t quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.
But his response to this post from Conor Freidersdorf convinced me to do a post. He’s written about 40 tweets in response, asserting things like, “there is no good argument that this sort of activity is illegal under current law.” In all that tweeting, he did not, however, respond to what I thought was a pretty decent argument this sort of activity might be illegal under current law.
Two years ago, then FISA Court Judge John Bates considered the legality of content collected off US switches. He found the practice, as had been conducted for over 3 years, violated both Section 702 of FISA Amendments Act and the Fourth Amendment because it intentionally collected US person data (NSA’s apologists usually obscure this last point, but Bates’ opinion was quite clear that this was intentional collection). To make the collection “reasonable” under a special needs exception, he required NSA to follow more stringent minimization procedures than already required under Section 702, effectively labeling some of the data and prohibiting the NSA from using US person data except in limited circumstances.
That collection differs from the contact list collection revealed by the WaPo in several ways:
The contact lists are collected overseas
WaPo’s sources are quite clear: this collection would be illegal in the US. They get around that restriction by collecting the data overseas.
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”
It’s not clear whether the contact list counts as metadata or content
The collection reviewed by Bates was clearly content: Internet messages collected because a selector appeared in the body of the message. With the contact lists, I could see the government claiming it was just metadata, and therefore (incorrectly, in my opinion but not in current law) subject to a much lower standard of protection. Except (as noted) WaPo’s sources admit this would be illegal if collected in the US, probably because NSA is collecting content as well.
Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts.
Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. Inbox listings of e-mail accounts stored in the “cloud” sometimes contain content, such as the first few lines of a message.
This data is subjected to a much lower standard of minimization than that imposed by Bates
In his flurry of tweets, Ben keeps repeating that the US person contact lists collected under this program are protected by minimization, so it’s all good. But minimization for Executive Order 12333 collection is not as rigorous as minimization under Section 702, and certainly doesn’t include the special handling that Bates required to make the Section 702 upstream collection compliant with the Fourth Amendment. So even for those who believe minimization on bulk collection gets you to compliance with the Fourth Amendment, it’s unclear whether the minimization provided for this collection does, and given Bates’ ruling, there’s reason to believe it does not.
Neither Congress nor the FISA Court oversee this collection closely
This is the part of the WaPo story that a guy like Ben who wails NAKED! every time someone questions whether there’s adequate oversight ought to have noted. A single source claimed this program includes checks and balances. But as WaPo lays out, these aren’t checks and balances like those protecting other US person collections.
A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”
NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”
In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.
Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. She said she planned to ask for more briefings on those programs.
“In general, the committee is far less aware of operations conducted under 12333,” said a senior committee staff member, referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. “I believe the NSA would answer questions if we asked them, and if we knew to ask them, but it would not routinely report these things, and, in general, they would not fall within the focus of the committee.” [my emphasis]
Here we have DiFi and a senior Senate Intelligence Committee staffer admitting they don’t know much about what NSA does under EO 12333. If they know about it, they might ask and might get responses, but otherwise they are largely blind to this collection.
I’m curious. How does Ben claim “we knew of that already” if Senate Intelligence sources are suggesting they didn’t? Is Lawfare getting some kind of special briefings that not even SSCI is getting?
If this collection is intentional, it may well be illegal
All of which brings us to the one question on which, I think, the legality of this collection would ride.
Particularly given FISA Amendments Act Section 704, which requires a FISA order to collect content even on Americans overseas (though only in circumstances where those Americans have a reasonable expectation of privacy, which may be how NSA dismisses this requirement), I’m not sure NSA’s dodge that this is overseas collection works in this day and age. After all, a judge has now ruled that if the government collects US person content because it fits the terms of its search, it counts as intentional collection (which is why NSA apologists’ dishonesty about Bates’ ruling on the intentionality of the searches is so important). And NSA appears to be approaching the vast amount of this US person collection using the same strategy they did with domestic upstream collection: admitting they get it, but refusing to quantify it, perhaps out of fear that doing so would undermine claims this was unintentional.
Although the collection takes place overseas, two senior U.S. intelligence officials acknowledged that it sweeps in the contacts of many Americans. They declined to offer an estimate but did not dispute that the number is likely to be in the millions or tens of millions.
When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”
In practice, data from Americans is collected in large volumes — in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages. [my emphasis]
Ultimately, if the NSA needed new legislation to cover “foreign” data collected transiting US backbone or sitting in US cloud storage, it probably needs new legislation to cover entirely domestic data collected in purportedly “foreign” locales. And it certainly shouldn’t use its assumption that this is all foreign as a way out of protections for US person data enshrined by law.
Now all of this is, of course, just my map of why this collection might not be legal, even under existing law (but especially noting Bates’ 2011 ruling on upstream collection).
But the way we determine whether something is legal or not in this country is in courts. Which brings me back to why it is so curious that Ben ignored the extensive discussion in the WaPo article of one of his favorite topics, the adequacy of oversight.
One reason this is news — one reason it is important and completely justifiable for WaPo to publish this — is it points to an arguably problematic (and even more arguably overreaching) program that evades almost all oversight. It can’t be deemed legal or not because it simply never gets reviewed in a court (and if it did, the NSA would likely refuse to reveal the extent to which it targeted Americans, like they already did for domestic upstream collection). Indeed, not even Ben’s beloved Congressional Oversight Committees (NAKED!) review this.
But I suspect that’s by design.
The NSA is knowingly (and admittedly, albeit anonymously) collecting data, probably including content, on millions of Americans by claiming it is foreign collection not subject to domestic laws, Congressional oversight, or the Courts. They may have a nice legal gimmick worked out for themselves that allows them to avoid the implications of Bates’ 2011 opinion, but that may be no more than a gimmick.
6 years ago, even Dianne Feinstein expressed concern the government would use EO 12333 to spy on US persons as a way of evading FISA. There’s certainly an easy case to make that NSA has done just that. Perhaps that’s reason enough to justify publishing this information?
Err, JohnT for one already gave a pointer to how intelligence collected outside the US was never revealed to Congress. Can guess what is collected “outside” the US stays “outside” the FISA, US congressional review and ( laws, naturally ).
The National Security Agency, exploiting an executive order loophole, does not give Congress detailed information about unlawful signals intelligence collection on United States citizens when those violations come from programs that focus exclusively on foreign intelligence collection outside the U.S., an intelligence official told Defense One on Friday.
I already speculated that foreign collected was including anything a foreign entity “could” collect.
The only reason the intelligence community did not drop a dime on massive financial fraud in the US is that the intelligence community is an enormous financial fraud on the US.
@greengiant: Yes. I’ve covered this many times before, and pointed to warnings from other places. This post is not about breaking news that Congress doesn’t get 12333 data. It’s to describe why it may well be illegal.
I wonder how much collection of US person data is subcontracted out from NSA to third parties, like the UK’s GCHQ. Then NSA could claim they didn’t actually “collect” it, they just acquired it as part of friendly cooperative information-sharing between allies.
Yeah, it sounds stupid. But I wouldn’t be surprised at anything anymore.
EW, re:control of routers.
So, if an ip packet gets routed out of the US, and
then back into the US, does it acquire a foreign accent?
Wittes’s judgment as to the “public interest” — and, presumably, the ethos on the basis of which he pursues what he surely tells himself is journalism — may come as a surprise to the many news consumers who expect the Fourth Estate to dig up the facts so that they, the public, rather than the diggers can decide what’s of interest. Of course, if Wittes unilaterally decides in advance that there’s nothing worthwhile for the public to know, particularly when it comes to holding the government accountable, it’s not altogether clear whether journalism is what he’s doing.
@SpaceLifeForm: Yes. That’s one of the things the 2011 report actually talks about, how in that case they might only have the IP of the routers.
That’s interesting because if that is an active assumption then it means that they have created an international analogue to the due process-free border zones in the U.S. In essence they are arguing that if you have any online contact abroad, say if you know someone abroad, work abroad, access cloud storage hosted aborad, accidentally have packets routed via Canada, etc.
The practical upshot of which is that they now, like customs and border protection are letting assumptions of external law turn inward.
Just a guess but, I wonder if the novel legal interpretation that Wyden is poking at has to do with this? I.E. is it an assumption that this line of reasoning is legally valid for traffic picked up on the U.S. end as well.
@SpaceLifeForm. I used to wonder why table after table of what were expected to be purely domestic tracert results would each take one weird, out of the way hop through, say, “China,” like an incessant, nervous tic. At times this would go on for days, no matter the tracerted U.S. address. Not so much lately incidentally.