Five Reasons the 702 Reauthorization Transparency Provisions Are Bogus
I thought that, after Bob Litt left the Office of Director of National Intelligence, we might stop pushing transparency measures in surveillance bills that don’t provide transparency.
For the most part, the added transparency in the bill is either already being accomplished (like counts of individual FISA orders or published minimization procedures) or useless. The exception is language requiring a real count of Pen Registers, which would fix a problem in the USA Freedom Act transparency provisions, which only counted Pen Registers that targeted communications, but not that targeted things like location data.
I’ll deal with two others — a declaration tied to Section 309 and a Comptroller General review of classification — separately.
The truly insulting “transparency” provisions, however, are the ones that pretend to count US person impact but do anything but. There are two parts to them. First, the bill mandates semiannual reports from the FBI (which, remember, got exempted from everything meaningful in the USA Freedom Act transparency provisions).
(d) SEMIANNUAL FBI REPORTS.—Together with the semiannual report submitted under subsection (a), the Director of the Federal Bureau of Investigation shall submit to the congressional committees specified in such sub-section, and make publicly available, a report containing, with respect to the period covered by the report, the number of queries made by the Federal Bureau of Investigation described in subsection (j)(1) of section 702 that resulted in communications being accessed or disseminated pursuant to such subsection.
The section requires the FBI Director to count how many queries are made under the new court order queries that — as I’ve already pointed out — are utterly meaningless. Whereas last year there was one equivalent count, in the future there will be none, because it will be a pain in the ass to get a criminal search order and it will remain easy as pie to treat any query as an assessment to use criminal evidence for foreign intelligence purposes. So this requirement is like dividing by zero: it doesn’t get you anywhere.
Then there’s the sham count of US persons sucked in by 702.
(c) INCIDENTALLY COLLECTED COMMUNICATIONS AND OTHER INFORMATION.—Together with the semi-annual report submitted under subsection (a), the Director of National Intelligence shall submit to the congressional committees specified in such subsection a report on incidentally collected communications and other information regarding United States persons under section 702. Each such report shall include, with respect to the 6-month period covered by the report, the following:
(1) Except as provided by paragraph (2), the number, or a good faith estimate, of communications acquired under subsection (a) of such section of known United States persons that the National Security Agency positively identifies as such in the ordinary course of its business, including a description of any efforts of the intelligence community to ascertain such number or good faith estimate.
(2) If the Director determines that calculating the number, or a good faith estimate, under paragraph (1) is not achievable, a detailed explanation for why such calculation is not achievable.
(3) The number of—
(A) United States persons whose information is unmasked pursuant to subsection (e)(4) of such section;
(B) requests made by an element of the Federal Government, listed by each such element, to unmask information pursuant to such subsection; and
(C) requests that resulted in the dissemination of names, titles, or other identifiers potentially associated with individuals pursuant to such subsection, including the element of the intelligence community and position of the individual making the request.
(4) The number of disseminations of communications acquired under subsection (a) of section 702 to the Federal Bureau of Investigation for cases not pertaining to national security or foreign intelligence.
(5) The number of instances in which evidence of a crime not pertaining to national security or foreign intelligence that was identified in communications acquired under subsection (a) of section 702 was disseminated from the national security branch of the Bureau to the criminal investigative division of the Bureau (or from such successor branch to such successor division).
Here’s why this is meaningless:
Under 702 precedent, it’s unclear whether the most intrusive collection is “incidental” or “intentional”
First, note what they call this? “Incidentally collected” communications.
One of the most concerning groups of Americans collected under 702 are, at least according to John Bates’ 2011 702 opinion, not incidental. Those are the entirely domestic communications believed to be foreign and targeted intentionally, such as the old MCT emails.
That’s important because what likely happens with a good deal of Americans communications — those collected under the 2014 exception — will mostly be purged in the post-tasking process. When NSA did a count of collections in 2011, they tried to hide how much they’re purging — and likely did hide a good bit even from the final count. The language of this provision, which only requires a count of Americans it “positively identifies as such in the ordinary course of its business,” would certainly invite NSA to do the same again.
At the very least, this provision should include both a definition of incidental and a definition of “ordinary course of business.”
An “ordinary course of business” at NSA will miss where most interaction with US person data occurs in the “ordinary course of business”
Then consider what it means that NSA — and not CIA or FBI, both of whom do a lot more searches on Americans collected under 702 — is asked to do this count. The other agencies are going to come across a lot more Americans because they’re looking for them, but that ordinary course of business exposure of Americans won’t ever be counted if the only count happens at NSA.
If DNI won’t be asked for a real count, don’t permit him to say a count is impossible
And even there, the DNI can balk and — as he and others have been saying for 6 years — claim they can’t come up with a number. This provision should either demand a real number and permit this cop out, or use the “ordinary course” number and demand a real number.
The obsession with unmasking represents an elite person’s focus on impact
Unsurprisingly, there’s several requirements on unmasking (as well as another entire section of this focusing on procedures for unmasking and a dedicated report on it, which I’m ignoring).
I know that certain Republicans have discovered the impact of surveillance by learning that they or their friends can be swept up having sensitive conversations with Russians. But the focus on unmasking really reflects an elite concern. That’s because the people who are most likely to be swept up in intercepts but masked because the political sensitivity of collecting on them outweighs the intelligence value are elites — people like Devin Nunes and Jeff Sessions, not people like Mohammed Mohamud or other brown people. Those non-elite people are the ones who’ll be prosecuted for being swept up in a 702 intercept, rather than warned off by the FBI.
So along with the boredom of having Republicans continue to pretend this is the most dangerous impact on Americans, understand that believing that is largely about elites worrying about elites.
Tracking disseminations that don’t happen
Finally, the transparency provisions track two kinds of sharing with FBI criminal investigators, that don’t track how Americans might be affected in criminal investigations.
First, it asks for “The number of disseminations of communications acquired under subsection (a) of section 702 to the Federal Bureau of Investigation for cases not pertaining to national security or foreign intelligence.” It doesn’t define “national security” (elsewhere, the bill invites the IC to define foreign intelligence). It doesn’t say “dissemination” from whom? Is this just crimes like kiddie porn (which can be a foreign intelligence if owned by a Boeing engineer, under the Gartenlaub precedent) identified by the NSA and handed over?
But the entire item is pretty meaningless, given that FBI gets raw data, which is where evidence of a crime is most likely to be IDed.
Then there’s the question about how much gets disseminated from FBI’s National Security Division to FBI’s criminal division. But at least as I understand it from Semiannual reports, access to FISA data has all been decentralized to the field office. Already, that creates problems for oversight, because ODNI and DOJ aren’t doing visits to all field offices (contrary to what was claimed in congressional testimony this year). But that also means it doesn’t (as far as I know) take a dissemination from NSD to criminal to result in the dissemination of information, because Agents with FISA clearance are going to be able to access that data from the comfort of their own office.
For both these counts, then, HJC seems to be pretending that no raw 702 data is shared with FBI. But it is. And that’s the stuff that matters.
Which is why that’s the stuff we’ll never be able to count.
Congress keeps pretending they want counts of the impact of this. The NSA count they’re refusing to do is one thing — they can at least claim privacy considerations.
But they biannual charade of pretending we’re getting FBI to examine the impact of their actions when in fact we’re letting them operate without any such metrics is getting old.