Does Acting National Security Division Head John Carlin Know about FISA Sections 703 and 704?

There were several curious exchanges in today’s hearing for Acting National Security Division AAG John Carlin to become the official AAG.

I’ll start with this exchange. (After 1:01, my transcription)

Udall: I want to talk about Executive Order 12333, with which you’re familiar. I understand that the collection, retention, or dissemination of information about US persons is prohibited under Executive Order 12333 except under certain procedures approved by the Attorney General. But this doesn’t mean that US person information isn’t mistakenly collected or obtained and then disseminated outside these procedures, so take this example. Let’s say the NSA’s conducting what it believes to be foreign to foreign collection under EO 12333 but discovers in the course of this collection that it also incidentally collected a vast trove of US person information. That US person collection should now have FISA protections. What role does the NSD have in overseeing any collection, retention, or dissemination of US person information that might occur under that executive order?

Carlin: Senator, so, generally the intelligence activities that NSA would conduct under its authorities pursuant to EO 12333 would be done pursuant to a series of guidelines that were approved by the Attorney General and then ultimately implemented through additional policies and procedures by NSA. But the collection activities that occur pursuant to 12333, if there was incidental collection, would be handled through a different set of oversight mechanisms than the Departments–by the Office of Compliance, the Inspector General there, the General Counsel there, and the Inspector General and General Counsel’s office for the Intelligence Community writ large, as well as reporting to these committees as appropriate.

Udall: So you don’t see a role for NSD in ensuring that that data is protected under FISA?

Carlin: Under FISA, no, under FISA we would have a direct role, so if it was under, if it was collection that was pursuant to the FISA statutes, so collection targeted at US persons, for example, or collection targeted at certain non-US persons overseas that was collected domestically such as pursuant to the 702 collection program. That would fall within the scope of the National Security Division. That’s information that — and oversight that we conduct through our oversight section in conjunction with the agencies. We would have the responsibility in terms of informing, of working with them to inform the court if there were any compliance incidents and making sure those compliance incidents were addressed.

Udall: My time’s obviously expired, but I think you don’t understand where I’m coming from here. One is to make sure the DOJ and you in your capacity have the most accurate information so you can represent United States of America and our citizens in the best possible way, and secondly that you have an additional role to play in providing additional oversight. Those are all tied to having information that’s factual, that’s based on what happened, and I’m going to continue to look for ways possible to make sure that’s what does happen, whether it’s under the auspices of the IC or the DOJ. You all have a responsibility to protect the Bill of Rights.

Udall asks Carlin about a “vast trove” of US person data collected under the guise of EO 12333, and asks whether NSD would have a role in protecting it under FISA.

Carlin responds by saying NSD wouldn’t have any role; only NSA and ODNI have oversight over EO 12333 compliance with the Attorney General approved guidelines.

At first, I thought Udall didn’t get Carlin’s point — that this data would get no FISA protection. (Earlier in the hearing, Dianne Feinstein had even pointed out EO 12333 collection gets less oversight, and suggested maybe NSD should play a role in EO 12333 compliance.)

But upon review, Udall may have been suggesting something else (I have a question in with his office seeking clarity on this point).

By all appearances, this was content, not metadata (under SPCMA, metadata collection is considered fair game).

US person content cannot be collected overseas — not intentionally at least — outside the purview of FISA sections 703 and 704.

And while admittedly I have yet to meet a lawyer who has been able to explain precisely how those statutes work, and while the White House has given particularly crazy answers on this point, it seemed that Carlin couldn’t even conceive of a way that US person content collected overseas would be protected under FISA.

He may simply be reflecting NSA policy that if they collect US person content overseas under EO 12333, they call it incidental and therefore never have to consider the FISA implications. And that may well be what the letter of the law provides (in which case I’m sure NSA never ever exploits that loophole, nosirree bob).

But he seemed completely unfamiliar with the concept that, under FISA Amendments Act, US persons do get FISA protection overseas.


Update: According to Udall’s spokesperson, he wasn’t specifically thinking of 703 and 704, but asking whether this data “should” fall under FISA and therefore under NSD’s oversight.


FISA Warranted Targets and the Phone Dragnet

The identifiers (such as phone numbers) of people or facilities for which a FISA judge has approved a warrant can be used as identifiers in the phone dragnet without further review by NSA.

From a legal standpoint, this makes a lot of sense. The standard to be a phone dragnet identifier is just Reasonable Articulable Suspicion of some tie to terrorism — basically a digital stop-and-frisk. The standard for a warrant is probable cause that the target is an agent of a foreign government — and in the terrorism context, that US persons are preparing for terrorism. So of course RAS already exists for FISC targets.

So starting with the second order and continuing since, FISC’s primary orders include language approving the use of such targets as identifiers (see ¶E starting on page 8-9).

But there are several interesting details that come out of that.

Finding the Americans talking with people tapped under traditional FISA

First, consider what it says about FISC taps. The NSA is already getting all the content from that targeted phone number (along with any metadata that comes with that collection). But NSA may, in addition, find cause to run dragnet queries on the same number.

In its End-to-End report submission to Reggie Walton to justify the phone dragnet, NSA claimed it needed to do so to identify all parties in a conversation.

Collections pursuant to Title I of FISA, for example, do not provide NSA with information sufficient to perform multi-tiered contact chaining [redacted]Id. at 8. NSA’s signals intelligence (SIGINT) collection, because it focuses strictly on the foreign end of communications, provides only limited information to identify possible terrorist connections emanating from within the United States. Id. For telephone calls, signaling information includes the number being called (which is necessary to complete the call) and often does not include the number from which the call is made. Id. at 8-9. Calls originating inside the United States and collected overseas, therefore, often do not identify the caller’s telephone number. Id. Without this information, NSA analysts cannot identify U.S. telephone numbers or, more generally, even determine that calls originated inside the United States.

This is the same historically suspect Khalid al-Midhar claim, one they repeat later in the passage.

The language at the end of that passage emphasizing the importance of determining which calls come from the US alludes to the indexing function NSA Signals Intelligence Division Director Theresa Shea discussed before — a quick way for the NSA to decide which conversations to read (and especially, if the conversations are not in English, translate).

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]

Though, as I have noted before, contrary to what Shea says, this by definition serves to access content of both non-US and US persons: NSA is admitting that the selection criteria prioritizes calls from the US. And in the case of a FISC warrant it could easily be entirely US person content.

In other words, the use of the dragnet in conjunction with content warrants makes it more likely that US person content will be read.

Excluding bulk targets

Now, my analysis about the legal logic of all this starts to break down once the FISC approves bulk orders. In those programs — Protect America Act and FISA Amendments Act — analysts choose targets with no judicial oversight and the standard (because targets are assumed to be foreign) doesn’t require probable cause. But the FISC recognized this. Starting with BR 07-16, the first order approved (on October 18, 2007) after the PAA  until the extant PAA orders expired, the primary orders included language excluding PAA targets. Starting with 08-08, the first order approved (on October 18, 2007) after FAA until the present, the primary orders included language excluding FAA targets.

Of course, this raises a rather important question about what happened between the enactment of PAA on August 5, 2007 and the new order on October 18, 2007, or what happened between enactment of FAA on July 10, 2008 and the new order on August 19, 2008. Read more

Obama: My Overseas Spying Not Constrained by the Law I Passed as Senator

In a democracy in which separation of powers still functioned as intended, this would be a deliberate provocation (my transcription):

The Snowden disclosures have identified areas of legitimate concern. Some of it has also been highly sensationalized and has been painted in a way that’s not accurate. I’ve said before and I will say again: the NSA actually does a very good job about not engaging in domestic surveillance. Not reading people’s emails, not listening to the content of their phone calls. Outside of our borders, the NSA is more aggressive. It’s not constrained by laws. And part of what we’re trying to do over the next month or so is having done an independent review — brought a bunch of folks, civil libertarians, lawyers, and others, to examine what’s being done — I’ll be proposing some self-restraint on the NSA and to initiate some reforms that can give people some more confidence.

Where to start?

First, it is false to say NSA does a very good job of not engaging in domestic surveillance. They’ve been caught doing so, on a programmatic scale, under Obama’s Administration, twice. At least one of those programs simply moved overseas after being caught. The President basically said that being caught twice illegally wiretapping thousands (under the upstream collection) and millions (under the Internet dragnet) of Americans domestically is a good job!

Add in the fact that NSA can read the content of collected US person communications with no Reasonable Articulable Suspicion, with no reporting requirements. That certainly amounts to the authority to conduct fairly unlimited amounts of domestic surveillance via the back door loophole.

And to suggest NSA is “not constrained by laws” overseas is equally false.

First, there’s the Constitution. Under that, even EO 12333 activity should come at the direction of the President. In this passage, the President says Snowden’s disclosures have raised legitimate concerns. I know ODNI and NSA will point to the National Intelligence Priorities Framework as their authorization on these activities the President now finds problematic. But if they’re doing things overseas that raise concerns, then it is an admission from the White House it has inadequate control of the NSA.

More importantly, it is false to say even that NSA is not constrained by mere laws overseas. Section 703 of the FISA Amendments Act — a law which Obama played a crucially important role in passing as a Senator — says NSA can’t wiretap Americans overseas without specific authority from FISC. Section 704 limits physical searches, which NSA uses to authorize collection from servers. As far as I know, no one has considered whether the deliberate collection of US person content overseas — albeit in bulk — complies with Section 703 and 704. But it at least lays out some limits on NSA’s overseas spying.

To all this, Obama’s solution is to propose self-restraint on the NSA.

Again, it is the role of the President — and the White House more generally — to oversee activities conducted under Article II authority. The language Obama uses here suggests an NSA unbound by his control, one he “proposes” to rein in rather than “orders” to do so.

That equates to NSA operating beyond the law, both here and abroad.