Does Acting National Security Division Head John Carlin Know about FISA Sections 703 and 704?

There were several curious exchanges in today’s hearing for Acting National Security Division AAG John Carlin to become the official AAG.

I’ll start with this exchange. (After 1:01, my transcription)

Udall: I want to talk about Executive Order 12333, with which you’re familiar. I understand that the collection, retention, or dissemination of information about US persons is prohibited under Executive Order 12333 except under certain procedures approved by the Attorney General. But this doesn’t mean that US person information isn’t mistakenly collected or obtained and then disseminated outside these procedures, so take this example. Let’s say the NSA’s conducting what it believes to be foreign to foreign collection under EO 12333 but discovers in the course of this collection that it also incidentally collected a vast trove of US person information. That US person collection should now have FISA protections. What role does the NSD have in overseeing any collection, retention, or dissemination of US person information that might occur under that executive order?

Carlin: Senator, so, generally the intelligence activities that NSA would conduct under its authorities pursuant to EO 12333 would be done pursuant to a series of guidelines that were approved by the Attorney General and then ultimately implemented through additional policies and procedures by NSA. But the collection activities that occur pursuant to 12333, if there was incidental collection, would be handled through a different set of oversight mechanisms than the Departments–by the Office of Compliance, the Inspector General there, the General Counsel there, and the Inspector General and General Counsel’s office for the Intelligence Community writ large, as well as reporting to these committees as appropriate.

Udall: So you don’t see a role for NSD in ensuring that that data is protected under FISA?

Carlin: Under FISA, no, under FISA we would have a direct role, so if it was under, if it was collection that was pursuant to the FISA statutes, so collection targeted at US persons, for example, or collection targeted at certain non-US persons overseas that was collected domestically such as pursuant to the 702 collection program. That would fall within the scope of the National Security Division. That’s information that — and oversight that we conduct through our oversight section in conjunction with the agencies. We would have the responsibility in terms of informing, of working with them to inform the court if there were any compliance incidents and making sure those compliance incidents were addressed.

Udall: My time’s obviously expired, but I think you don’t understand where I’m coming from here. One is to make sure the DOJ and you in your capacity have the most accurate information so you can represent United States of America and our citizens in the best possible way, and secondly that you have an additional role to play in providing additional oversight. Those are all tied to having information that’s factual, that’s based on what happened, and I’m going to continue to look for ways possible to make sure that’s what does happen, whether it’s under the auspices of the IC or the DOJ. You all have a responsibility to protect the Bill of Rights.

Udall asks Carlin about a “vast trove” of US person data collected under the guise of EO 12333, and asks whether NSD would have a role in protecting it under FISA.

Carlin responds by saying NSD wouldn’t have any role; only NSA and ODNI have oversight over EO 12333 compliance with the Attorney General approved guidelines.

At first, I thought Udall didn’t get Carlin’s point — that this data would get no FISA protection. (Earlier in the hearing, Dianne Feinstein had even pointed out EO 12333 collection gets less oversight, and suggested maybe NSD should play a role in EO 12333 compliance.)

But upon review, Udall may have been suggesting something else (I have a question in with his office seeking clarity on this point).

By all appearances, this was content, not metadata (under SPCMA, metadata collection is considered fair game).

US person content cannot be collected overseas — not intentionally at least — outside the purview of FISA sections 703 and 704.

And while admittedly I have yet to meet a lawyer who has been able to explain precisely how those statutes work, and while the White House has given particularly crazy answers on this point, it seemed that Carlin couldn’t even conceive of a way that US person content collected overseas would be protected under FISA.

He may simply be reflecting NSA policy that if they collect US person content overseas under EO 12333, they call it incidental and therefore never have to consider the FISA implications. And that may well be what the letter of the law provides (in which case I’m sure NSA never ever exploits that loophole, nosirree bob).

But he seemed completely unfamiliar with the concept that, under FISA Amendments Act, US persons do get FISA protection overseas.


Update: According to Udall’s spokesperson, he wasn’t specifically thinking of 703 and 704, but asking whether this data “should” fall under FISA and therefore under NSD’s oversight.


Obama: My Overseas Spying Not Constrained by the Law I Passed as Senator

In a democracy in which separation of powers still functioned as intended, this would be a deliberate provocation (my transcription):

The Snowden disclosures have identified areas of legitimate concern. Some of it has also been highly sensationalized and has been painted in a way that’s not accurate. I’ve said before and I will say again: the NSA actually does a very good job about not engaging in domestic surveillance. Not reading people’s emails, not listening to the content of their phone calls. Outside of our borders, the NSA is more aggressive. It’s not constrained by laws. And part of what we’re trying to do over the next month or so is having done an independent review — brought a bunch of folks, civil libertarians, lawyers, and others, to examine what’s being done — I’ll be proposing some self-restraint on the NSA and to initiate some reforms that can give people some more confidence.

Where to start?

First, it is false to say NSA does a very good job of not engaging in domestic surveillance. They’ve been caught doing so, on a programmatic scale, under Obama’s Administration, twice. At least one of those programs simply moved overseas after being caught. The President basically said that being caught twice illegally wiretapping thousands (under the upstream collection) and millions (under the Internet dragnet) of Americans domestically is a good job!

Add in the fact that NSA can read the content of collected US person communications with no Reasonable Articulable Suspicion, with no reporting requirements. That certainly amounts to the authority to conduct fairly unlimited amounts of domestic surveillance via the back door loophole.

And to suggest NSA is “not constrained by laws” overseas is equally false.

First, there’s the Constitution. Under that, even EO 12333 activity should come at the direction of the President. In this passage, the President says Snowden’s disclosures have raised legitimate concerns. I know ODNI and NSA will point to the National Intelligence Priorities Framework as their authorization on these activities the President now finds problematic. But if they’re doing things overseas that raise concerns, then it is an admission from the White House it has inadequate control of the NSA.

More importantly, it is false to say even that NSA is not constrained by mere laws overseas. Section 703 of the FISA Amendments Act — a law which Obama played a crucially important role in passing as a Senator — says NSA can’t wiretap Americans overseas without specific authority from FISC. Section 704 limits physical searches, which NSA uses to authorize collection from servers. As far as I know, no one has considered whether the deliberate collection of US person content overseas — albeit in bulk — complies with Section 703 and 704. But it at least lays out some limits on NSA’s overseas spying.

To all this, Obama’s solution is to propose self-restraint on the NSA.

Again, it is the role of the President — and the White House more generally — to oversee activities conducted under Article II authority. The language Obama uses here suggests an NSA unbound by his control, one he “proposes” to rein in rather than “orders” to do so.

That equates to NSA operating beyond the law, both here and abroad.