October 5, 2017 / by emptywheel


702 Reauthorization Bill: The “About” Fix (What Is A Person?)

I’m going to do a series of posts on the draft 702 reauthorization bill, which is here. The bill makes a number of improvements to the status quo, but it’s not clear whether it fixes the biggest problems with Section 702.

Take the “about” fix, which is a short and sweet change to the targeting procedures.

(4) LIMITATION.—During the period preceding September 30, 2023, the procedures adopted in accordance with paragraph (1) shall require that the targeting of a person is limited to communications to or from the targeted person.

As a reminder, “about” collection targeted the content of “communications” — perhaps searching on something like Osama bin Laden’s phone number in the content of email. It posed a problem because sometimes NSA obtains upstream communications in bundles, meaning they’ll get a number of unrelated communications at the same time. In such a case, if an email in a bundle included the target (OBL’s phone number), then all the emails would be collected, which also might include emails to other people. In a small number of cases, such collection would result in the collection of entirely domestic communications that had no foreign intelligence value; it resulted in a larger number of entirely domestic, unbundled communications that were of foreign intelligence value because they mentioned the selector.

The legislative fix largely parallels the fix Rosemary Collyer approved in April. She accomplished this (relying on an Administration memo that, unlike almost everything else from the reauthorization process, has not been released) this way:

Finally, upstream collection of Internet transaction [redacted] for communications to or from a targeted person, but “abouts” communication may no longer be acquired. The NSA Targeting Procedures are amended to state that “[a]cquisitions conducted under these procedures will be limited to communications to or from persons targeted in accordance with these procedures. [citation removed], and NSA’s Minimization Procedures now state that Internet transactions acquired after March 17, 2017, “that are not to or from a person targeted in accordance with NSA’s section 702 targeting procedures are unauthorized acquisitions and therefore will be destroyed upon recognition.” [citation removed]

Here’s how it looks in practice, in the current targeting procedures.

In both cases, I have a similar concern, one which is made more obvious in the targeting procedures. They start by suggesting that all acquisitions under 702 will be limited to “communications to or from persons targeted in accordance with these procedures.” But then its discussion of upstream collection defines “Internet transaction” in such a way to treat it only as a communication.

The draft bill similarly suggests the possibility that there is the targeting of persons — for whom the active user rule much hold, but if there were some other kind of targeting, it might not hold.

What is a person, in this situation? Does this language prevent NSA from targeting a group (a point raised by John Bates on precisely this point in 2011)? Can NSA target — say — an encryption product used by a corporate group (ISIS’s shitty encryption product, for example), and if so are all users of that product assumed to be part of the group? What happens if the collection is targeting the command and control server of a botnet; any communications back and forth from it are, technically speaking, communications, but not involving a human person.

In other words, both versions of this prohibition seem to operate under they fiction that NSA is just collecting emails, traditional communications between traditional people. I’m actually not sure how the language would apply to other stuff. I’m also not sure if the possible exceptions would have privacy concerns.

Which is why I’m not certain whether the prohibition actually eliminates the privacy threat in question.

Not least, because directly after the introduction of the prohibition in her opinion, Collyer acknowledges that NSA will still obtain entirely domestic comms.

As I’ve said elsewhere, I think this prohibition does fix the email (and other kinds of Internet messaging) MCT problem. But given that even Collyer admits NSA will still obtain domestic communications, there’s still the problem that those domestic comms will be sucked up in the newly permitted back door searches of upstream communications.

Copyright © 2017 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2017/10/05/702-reauthorization-bill-the-about-fix-what-is-a-person/