As I noted here, I’m working on a post that puts last week’s report on NSA’s use of upstream Section 702 collection in context.
But first, there’s one more detail that deserves its own post.
By March 23, 2012, NSA had drafted a certificate exclusively for cyber, with the intent of getting the FISC to approve it that year (which probably would have been in October). Yet “the current Certifications already allow[ed] for the tasking of  cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.”
And whether or not NSA was already collecting cyber signatures in March 2012, by May, DOJ approved their collection on the Foreign Government certificate.
On May 4, 2012, DOJ sent the Intelligence Committee Chairs a white paper on Section 702 to be shared with the rest of Congress. Here’s the passage that describes how NSA uses upstream collection:
Given that the only redaction here addresses terrorists and the unredacted remainder describes only the collection of email and phone identifiers, it seems virtually certain that the passage — and therefore the white paper — made no mention of the cyber signature collection the NSA and DOJ were actively preparing to collect, and would collect before the reauthorization of FAA that December.
It’s certainly possible DOJ gave Congress notice that the use of Section 702 had changed significantly by the time Congress voted in December, but there’s no public record of it. In the interim period, the Senate defeated a cybersecurity bill that would even have restricted NSA from obtaining domestically collected cyber data, reflecting real skepticism about spying for cybersecurity purposes in the US.
If, as the record strongly suggests, the government expanded NSA upstream 702 to include cyber signatures without telling Congress before they reauthorized the underlying authority, it would not be the first time: DOJ did not tell even the House Judiciary Committee — much less Congress as a whole — that it was using Section 215 to collect location data until after both the 2010 and 2011 Patriot Act reauthorizations.
Whatever the merit to using 702 upstream collection to hunt hackers — even ignoring the real privacy problems with it — the public record raises real questions about whether the practice was authorized and would have been authorized by Congress. Given that such collection involves an expansion of the intentional collection of domestic data, the apparent absence of Congressional sanction raises real problems about the practice (though, as I’ve suggested, Congress just retroactively authorized the use of whatever illegally-collected 702 data NSA can get FISC to approve the use of).
The NSA’s defenders like to claim Congress always gets notice. But the record shows that, over and over, NSA only asks for for forgiveness after the fact rather than asking for permission before the collection.