FAA Extension: The Data Gaps about Our Data Collection
As I noted the other day, part of the point of the language Ron Wyden got declassified the other day seemed to be to call out a misrepresentation in Dianne Feinstein’s Additional Views in the Senate Intelligence Report on the extension of the FISA Amendments Act. DiFi had claimed that “the FISA Court … has repeatedly held that collection carried out pursuant to the Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment.” She neglected to mention that, “on at least one occasion the Foreign Intelligence Surveillance Court held that some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment.”
But since Wyden pointed back to that language, I wanted to note something else in the paragraph in which DiFi’s misleading claim appears: She suggests there is substantial reporting on the program.
This oversight has included the receipt and examination of over eight assessments and reviews per year concerning the implementation of FAA surveillance authorities, which by law are required to be prepared by the Attorney General, the Director of National Intelligence, the heads of various elements of the intelligence community, and the Inspectors General associated with those elements. In addition, the Committee has received and scrutinized un- redacted copies of every classified opinion of the Foreign Intelligence Surveillance Court (FISA Court) containing a significant construction or interpretation of the law, as well as the pleadings submitted by the Executive Branch to the FISA Court relating to such opinions.
Third, the numerous reporting requirements outlined above provide the Committee with extensive visibility into the application of these minimization procedures and enable the Committee to evaluate the extent to which these procedures are effective in protecting the privacy and civil liberties of U.S. persons. [my emphasis]
But in her sentence claiming the FISA Court keeps approving the program, she reveals that the Court is not getting all those reports.
Notably, the FISA Court, which receives many of the same reports available to the Committee, has repeatedly held that collection carried out pursuant to the Section 702 minimization procedures used by the government is reasonable under the Fourth Amendment.
The Court receives “many” of the same reports. Which suggests it doesn’t see all of them.
That comment is all the more interesting because of something Pat Leahy said at least week’s Senate Judiciary Committee mark-up of the bill.
Congress has been provided with information related to the implementation of the FISA Amendments Act, along with related documents from the FISA Court. Based on my review of this information, and after a series of classified briefings, I do not believe that there is any evidence that the law has been abused, or that the communications of U.S. persons are being intentionally targeted.
My views about the implementation of these surveillance authorities are based on the information we have available now – but there is more that we need to know. For example, important compliance reviews have not yet been completed by the Inspectors General of the Department of Justice or the NSA. And there has never been a comprehensive, independent inspector general review of FISA Amendments Act implementation that cuts across the intelligence community, and that is not confined to one particular element or agency. Without the benefit of such independent reviews, I am concerned that a five-year extension is too long. [my emphasis]
Here’s what the Inspectors General are supposed to report (basically, they’re supposed to make sure the government is doing what it says it is, and track some–but not the most important–US collection):
The Inspector General of the Department of Justice and the Inspector General of each element of the intelligence community authorized to acquire foreign intelligence information under subsection (a), with respect to the department or element of such Inspector General—
(A) are authorized to review compliance with the targeting and minimization procedures adopted in accordance with subsections (d) and (e) and the guidelines adopted in accordance with subsection (f);
(B) with respect to acquisitions authorized under subsection (a), shall review the number of disseminated intelligence reports containing a reference to a United States-person identity and the number of United States-person identities subsequently disseminated by the element concerned in response to requests for identities that were not referred to by name or title in the original reporting;
(C) with respect to acquisitions authorized under subsection (a), shall review the number of targets that were later determined to be located in the United States and, to the extent possible, whether communications of such targets were reviewed;
Which is interesting because, in addition to adding a general review of the FAA collection and use by the Intelligence Inspector General, Leahy’s substitute amendment tweaked the language on IG reviews, as well.
In addition to requiring the IGs to count the number of targets later found to be located in the US, Leahy also required them to count how many US persons had been targeted, such that (C) would read,
(C) with respect to acquisitions authorized under subsection (a), shall review the number of targets that were later determined to be United States persons or located in the United States and, to the extent possible, whether communications of such targets were reviewed; [my emphasis]
More interesting still, he changes the language describing which agencies will undertake such reviews (and it’s a change in language he makes elsewhere in one or two places). Rather than requiring reviews from agencies that are “authorized to acquire foreign intelligence information,” he requires it from agencies “with targeting or minimization procedures approved under this section.” So the introductory paragraph in this section would read,
The Inspector General of the Department of Justice and the Inspector General of each element of the intelligence community with targeting or minimization procedures approved under this section, with respect to the department or element of such Inspector General— [my emphasis]
Though note, the language in paragraph C still refers to acquisitions.
This seems to suggest there are agencies (the NSA) that are authorized to acquire all this telecom traffic. And then there are agencies (FBI, intelligence agencies at DOD, DEA) that have “minimization” procedures–that is, that actually access and use the information. And Leahy’s trying to make sure we get reporting from both types of agencies.
All of which seems to pertain to something Julian Sanchez wrote about here. Not only doesn’t “targeting” mean what you would think it means. But minimization doesn’t either.
Communications aren’t “minimized” until they’re reviewed by human analysts—and given the incredible volume of NSA collection, it’s unlikely that more than a small fraction of what’s intercepted ever is seen by human eyes. Yet in the statements above, we have two intriguing implications: First, that “collection” and “minimization” are in some sense happening contemporaneously (otherwise how could “collection” be “pursuant to” minimization rules?) and second, that these procedures are somehow fairly intimately connected to the question of “reasonableness” under the Fourth Amendment.
To make sense of this, we need to turn to the Defense Department’s somewhat counterintuitive definition of “collection” for intelligence purposes. As the Department’s procedures manual explains:
Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties…. Data acquired by electronic means is “collected” only when it has been processed into intelligible form.
This dovetails with a great deal of what we know about recent NSA surveillance, in which enormous quantities of communications are stored in a vast database codenamed Pinwale for later analysis.
The language of these statements, however, would be consistent with the clever “solution” former NSA employees and whistleblowers like Bill Binney have long been telling us the agency has adopted. Referring to a massive data storage facility being constructed by NSA in Utah, Binney writes:
The sheer size of that capacity indicates that the NSA is not filtering personal electronic communications such as email before storage but is, in fact, storing all that they are collecting. The capacity of NSA’s planned infrastructure far exceeds the capacity necessary for the storage of discreet, targeted communications or even for the storage of the routing information from all electronic communications. The capacity of NSA’s planned infrastructure is consistent, as a mathematical matter, with seizing both the routing information and the contents o all electronic communications.
Binney argues that when NSA officials have denied they are engaged in broad and indiscriminate “interception” of Americans’ communications, they are using that term “in a very narrow way,” analogous to the technical definition of “collection” above, not counting an e-mail or call as “intercepted” until it has been reviewed by human eyes. On this theory, the entire burden of satisfying the Fourth Amendment’s requirement of “reasonableness” is borne by the “minimization procedures” governing the use of the massive Pinwale database. On this theory, the constitutional “search” does not occur when all these billions of calls and emails are actually intercepted (in the ordinary sense) and recorded by the NSA, but only when the database is queried.
So here’s what I take away from all this.
First, there’s no requirement that the agencies track when Americans get targeted (whether overseas or in the US), which, remember, is different than Americans having their communications read as part of “minimization.”
Second, it seems possible that some agencies aren’t doing this kind of reporting at all, because they technically can’t “acquire” but they can “minimize” (that is, acquire) contacts.
Third, the two most important agencies–NSA and FBI–have not submitted some of the compliance reviews. So, for example, we don’t know whether FBI has been minimizing (that is, acquiring) contacts from Americans willy nilly.
Fourth, the FISA Court may not even see all of what Congress sees. And even without it, the Court found the government to be violating the Fourth Amendment at least once.
Fifth, no one has ever looked at how all this fits together, how what we would call acquisition fits together with minimization (which is when the government seems to claim “acquisition” happens). Which given that it appears the end users–the people who acquire under the name of minimization–seem to be the only ones who find out if the program is picking up Americans, means we don’t know how often the collection process ends up collecting on US persons.
Finally, in spite of all of these data gaps, they’re just going to extend the program for another three (or probably five, after it gets through Congress) anyway.
For a bunch of elected representatives purportedly trying to make sure we get the information we need, they seem to be in a rush to renew this program without the information we need.