A privacy and civil liberties board that earlier this year called on the government to halt its program of collecting bulk phone records metadata found little wrong with a separate bulk-collection program that involves collecting internet communications data from service providers and from the internet backbone.
The Privacy and Civil Liberties Board concluded, in its long-awaited report (.pdf) released Tuesday night, that the collection program—which involves obtaining data from service providers like Google and Yahoo using an order from the FISA Court—is clearly legal and authorized under Section 702 of the Foreign Intelligence Surveillance Act. The board also concluded that the collection of data from upstream sources, such as by tapping undersea cables, is also authorized by the statute “as [that program] is currently implemented.”
While the board found that certain aspects of the program are questionable and “push the program close to the line of constitutional reasonableness,” essentially its five members concluded unanimously that the core of the so-called Section 702 program is “clearly authorized by Congress, reasonable under the Fourth Amendment, and an extremely valuable and effective intelligence tool.”
The Electronic Frontier Foundation criticized the report as “legally flawed and factually incomplete.”
Section 702 of the FISA permits the attorney general and the director of national intelligence to authorize the targeting of non-U.S. persons who are reasonably believed to be located outside the U.S., in order to acquire foreign intelligence information. Although the communication of U.S. persons may be “incidentally” scooped up in bulk collections of data, the NSA is prohibited from targeting U.S. persons and must follow procedures to minimize the collection or use of such data. But the NSA may use U.S. identifiers—such as the phone number or email address of a known U.S. person—to search through the collected data for communication that is relevant to an investigation of a foreign target.
The FBI may also query the data for communications relevant to a non-foreign intelligence criminal investigation.
The definition of a targeted “person” is broadly defined under Section 702 and can apply to a person, a company, or even a foreign government or international terrorist group. But, notably, the board asserted that an entire foreign country cannot be a “person” targeted under Section 702.
This doesn’t, however, preclude the NSA from targeting an entire country for surveillance—recent revelations in documents released by NSA whistleblower indicate that the spy agency has a surveillance program that does record every cell phone call on the island nation of the Bahamas, while WikiLeaks says the same program is collecting calls in Afghanistan. This collection program is not conducted under Section 702 authority, however.
Although the review board approved of much of the Section 702 collection program, it did highlight parts of the program that are cause for concern.
These include the “unknown and potentially large scope” of incidental collections of communications involving U.S. persons that get scooped up in data the government collects on foreign targets.
It also includes a category of data collection known as “about” collections, which involve collecting communications that are neither to nor from a target of surveillance but are simply “about” the target. And it includes any searches the government conducts on collected communications that involves the communications of specific U.S. persons caught up in the data—queries that are often called “backdoor” searches because they can be abused by the government to target U.S. persons without formally targeting them in the initial collection of data.
To ensure that the collection program isn’t abused and “remains tied to its constitutionally legitimate core,” the board members made a number of recommendations.
Among them—the NSA should revise its procedures to specify the criteria it uses for determining the expected value it will get from the collection of foreign intelligence on a particular target. The NSA should also periodically review the types of communications it acquires in “about” collections to gauge ways to refine and limit the types of data it collects.
The NSA and CIA should be allowed to use U.S. person identifiers—such as a phone number or email address—to query the collected data for foreign intelligence purposes only upon producing a statement of facts showing that such a query is “reasonably likely” to return foreign intelligence information as defined under FISA. The NSA and CIA should have written guidelines telling agents and analysts what information and documentation is needed to meet this standard. Limits should also be placed on the FBI’s ability to use and disseminate data collected under the Section 702 program when that use involves non–foreign intelligence criminal matters.\\Additionally, two of the board members, Chairman David Medine and member Patricia Wald, recommended that before conducting a search using a U.S. person identifier, the query should be submitted to the FISA court for approval, excluding exigent circumstances or where otherwise required by law.
“The FISA court should determine, based on documentation submitted by the government, whether the use of the U.S. person identifier for Section 702 queries meets the standard that the identifier is reasonably likely to return foreign intelligence information as defined under FISA,” they wrote.
As soon as a query involving a U.S. person’s data is conducted, any communications that comes up in the results that do not qualify under the statute as foreign intelligence information should be purged immediately. “This process should be subject to judicial oversight,” they note, to ensure compliance.
They also felt that the FBI should obtain prior approval from the FISA Court before querying the collected data in connection to criminal matters not pertaining to foreign intelligence criminal matters, in order to ensure that the query is reasonably likely to return information relevant to an assessment or investigation of a crime.
Legal experts with with EFF were unimpressed with the board’s conclusions or recommendations, writing in a blog post that the board skips over the essential privacy problems inherent in the “upstream” collection program—namely that through this activity, the government has access to or is able to acquire nearly all communications that travel over the internet.
“The board focuses only on the government’s methods for searching and filtering out unwanted information,” the EFF’s Cindy Cohn and Mark Jaycox write in their post. “This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other internet communications….”
The board’s constitutional analysis also leaves EFF perplexed. Although the Fourth Amendment requires a warrant for searching the content of communication Under Section 702, the review board apparently believes no warrant is required and therefore doesn’t address that the government searches through content without a warrant.
EFF called the review board’s recommendations for reform “anemic” and said they would do little to stop excessive surveillance.
The review board did offer one prescription that would mildly improve the transparency of the collection program.
Specifically, it called on the NSA to produce an annual report for Congress and the public, which would calculate the number of telephone communications it acquires in which one caller is located in the U.S.; the number of internet communications acquired through upstream collection processes that originate or terminate in the U.S.; the number of communications of or concerning U.S. persons that the NSA positively identifies as such; the number of queries performed that involve a U.S. person identifier, such as a name, title, email address or other identifier known to be associated with a U.S. individual; and the number of instances in which the NSA disseminates such information about U.S. persons.
Last week the intelligence community released its first surveillance transparency report, which many critics considered anything but transparent. The report listed figures for how often agencies used various orders and authorities to conduct surveillance.
According to the report, the government obtained just one order under Section 702 of the FISA Act for all of 2013. But that one order involved collection of data on more than 89,000 targets. The actual number of people affected by the order is much larger, however, since, as noted, “target” can mean “an individual person, a group, an organization composed of multiple individuals or a foreign power that possesses or is likely to communicate foreign intelligence information.” The report did not indicate if or how many U.S. persons might have been caught up in that collection.
The new report from the Privacy and Civil Liberties Board will not be official until the board votes on Wednesday to formally submit it to President Obama and to Congress.
The board previously released a report about the NSA’s phone records collection program (.pdf), conducted under the authority of Section 215 of the USA PATRIOT Act, and the operations of the Foreign Intelligence Surveillance Court.
The independent PCLOB, which was created in 2007 through the Implementing Recommendations of the 911 Commission Act, consists of five members—David Medine, Rachel L. Brand, Elisebeth Collins Cook, James X. Dempsey, and Judge Patricia M. Wald.