NSA Conducts So Many Back Door Searches on US Persons It Would Be Impracticable to Approve Those Queries

Update, 8/3/14: Given what we’ve subsequently learned about FBI’s substantial number of uncounted back door searches, Litt’s description of further controls as not practicable probably most directly relates to FBI, not NSA.

While there wasn’t as much as I’d like, the Privacy and Civil Liberties Oversight Board hearing today focused somewhat on the issue of back door searches: which are when NSA searches on US person data on “incidentally” collected data under Section 702 of FISA.

DOJ National Security Director Deputy AAG Brad Wiegmann even suggested we should call them queries, perhaps to obscure all the obvious problems with them as searches under the Fourth Amendment.

The most telling exchange, however, came when PCLOB Board Member Patricia Wald suggested that the FISA Court conduct the same kind of oversight over these backdoor searches that it is now doing pursuant to the changes in Section 215 President Obama made in January. (CSPAN won’t let me embed this yet but here’s a link.) ODNI General Counsel Robert Litt shot that idea down aggressively, stating that is is not practicable.

Patricia Wald: The President required, or, I think he required in his January directive that went to 215 that at least temporarily, the selectors in 215 for questioning the databank of US telephone calls–metadata–had to be approved by the FISA Court. Why wouldn’t a similar requirement for 702 be appropriate in the case where US person indicators are used to search the PRISM database? What big difference do you see there?

Robert Litt: Well, I think from a theoretical perspective it’s the difference between a bulk collection and a targeted collection which is that–

Wald: But I would think that, sorry for interrupting, [cross-chatter]  I would think that message since 702 has actually got the content.

Litt: Well, and the second point that I was going to make is that I think the operational burden in the context of 702 would far greater than in the context of 215.

Wald: But that would–

Litt: If you recall, the number of actual telephone numbers as to which a  RAS–reasonable articulaable suspcion determination was made under Section 215 was very small. The number of times that we query the 702 database for information is considerably larger. I suspect that the Foreign Intelligence Surveillance Court would be extremely unhappy if they were required to approve every such query.

Wald: I suppose the ultimate question for us is whether or not the inconvenience to the agencies or even the unhappiness of the FISA Court would be the ultimate criteria.

Litt: Well I think it’s more than a question of convenience, I think it’s also a question of practicability.

NSA General Counsel Raj De, who has spent the better part of the last 9 months saying “it’s only metadata” went on to argue that somehow this “targeted” content program (which of course requires no advance review of selectors) is less intrusive than the metadata collection under Section 215.

Make up your damn mind!

To be fair, I suspect one of the issues is that after the Nidal Hasan attack (and this is just a very well educated guess), NSA rolled out a system whereby new communications between a targeted foreigner and an American automatically pulls up all previous communications involving that US person. That would count as a search, even though it would effectively feel like an automatic cross-referencing of all prior communications involving someone talking to a target, even if that is a US person.

Nevertheless, this means that NSA is conducting so many back door searches on US person data that it would be “impracticable” to actually give those searches some kind of review.

No wonder NSA refuses to give numbers on this practice to Ron Wyden.

Raj De and the Back-Door Loophole

As I already noted, NSA General Counsel lied in today’s PCLOB hearing when he said the use of Section 215 to conduct a phone dragnet had the indicia of legitimacy because Congress twice reauthorized the PATRIOT after the executive had given it full information.

We know that the 2010 freshman class — with the exception of the 7 members who served on the Judiciary or Intelligence Committees — did not have opportunity to learn the most important details about the phone dragnet before reauthorizing PATRIOT in 2011. And it appears DOJ withheld from the Judiciary and Intelligence the original phone dragnet opinion — and they clearly withheld significant FISC materials on it — until August 2010, after PATRIOT had been reauthorized the first time. I trust Ben Wittes, who wants to prevent Jim Sensenbrenner from commenting on NSA’s secrecy because he’s dishonest about his own role, applies a similar standard to Raj De.

But I was even more interested in the way De answered Center for Democracy and Technology’s Jim Dempsey’s question about the back-door loophole in which NSA searches on incidentally collected US person data (starting at 2:09:00).  Dempsey asked whether NSA needed something like the Reasonably Articulable Suspicion before it searched incidental US person data. De treated the question as nonsensical, given that when you collect on a particular phone number in the criminal context you don’t need to ignore what you find.

In other words, the NSA has a lower standard for access this content than they do for accessing the metadata of our phone calls.

Curiously, though, De tried to tout the minimization of both 702 and EO 12333 collection to present this as reasonable.

By minimization, Dempsey asked, you mean you keep it.

De insisted that no, there’s minimization at each step of the process.

I get how he was trying to use this blatant dodge. I get that the NSA assumes they can take everything so long as they’re careful about how they sent it around.

But make no mistake. NSA searches on the data before it gets minimized.

Here’s how this year’s Semiannual Compliance Review, submitted by the Attorney General and Director of National Intelligence, describes this practice.

NSA’s querying of unminimized Section 702-acquired communications using United States person identifiers (page 7)

Here’s how John Bates referred to the practice, based on a submission the NSA had made itself (though before De was writing the documents), in his October 3, 2011 opinion.

The government has broadened Section 3(b)(5) to allow NSA to query the vast majority of its Section 702 collection using United States-Person identifiers, subject to approval pursuant to internal NSA procedures and oversight by the Department of Justice. Like all other NSA queries of the Section 702 collection, queries using United States-person identifiers would be limited to those reasonably likely to yield foreign intelligence information. (page 22-23)

Bates justifies this practice by pointing to another agency’s (almost certainly FBI) use of the practice, which he describes as,

an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information.

The NSA has restrictions about circumstances in which they can share this data (which arguably will be expanded under Dianne Feinstein’s FakeFISAFix). But they allow the NSA to share this data if it is “foreign intelligence,” evidence of a crime, and evidence of a threat to life-which-to-NSA-means-property.

They can sweep up entire countries worth of Internet traffic. They can sweep up entire mailboxes overseas. And then go in, without a warrant, and “discover” evidence of crime.