As I was working through some other things last night, I had an opportunity to compare the minimization standards for the FISA Amendments Act (see section h) with the standards under which the actual minimization procedures allow the retention of purely domestic communications (that is, between parties that are all within the United States). These procedures are in addition to procedures that affect foreign communications (with one of the participants a non-US person outside the US).
Last night, I suggested there were 3 “normal” standards and one that doesn’t appear in the law pertaining to cybersecurity and encrypted communications. But that’s not entirely right. The last standard in the actual law reads,
(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.
That is, the actual law allows retention of information for up to 72 hours (presumably to process, which is moot anyway, since they’re actually keeping this data 5 years), unless the court or the Attorney General says it must be kept longer because it pertains to threat of death of serious bodily harm.
But in the minimization standards themselves, here’s how that reads.
A communication identified as a domestic communication will be promptly destroyed upon recognition unless the Director (or Acting Director) of NSA specifically determines, in writing, that:
the communication contains information pertaining to a threat of serious harm to life or property. [my emphasis]
In plain language, the law seems to be about saving human lives. But in paragraphs marked Secret, the government has redefined threat of death or “serious bodily harm to any person” as “serious harm to life or property.”
And while it’s just a guess here, I’m guessing that they switched this language, protecting property, not people, to protect corporate people.
In any case, spying on entirely domestic communications to protect against threats entirely to property, not life, sure seems like a giant loophole in a program that is supposed to be focused exclusively on foreign intelligence.