Ever wonder whether the National Security Agency picked up your text message or email because you mentioned ISIS leader Abu Bakr al Baghdadi to a friend? Claims of privacy infringement on Americans by the National Security Agency have been in headlines for years. Much of the criticism has related to NSA authorities under Section 702 of the Foreign Intelligence Surveillance Act (FISA), first established by the FISA Amendment Act of 2008.
However, the NSA recently announced changes to some of its collection practices under 702 that privacy advocates could agree with. The decision comes just as Washington is gearing up to discuss the reauthorization of 702 authorities with an impending deadline approaching at the end of the year.
General Michael Hayden, a former NSA director, recently described the foreign intelligence collection under 702 authority as “the most productive source of information the NSA has ever had.” The Office of the Director of National Intelligence has also strongly endorsed 702 authorities, saying they “provide the government with a uniquely effective way to acquire information about the plans and identities of terrorists and terrorist organizations, including how they function and receive support.”
Such information gleaned from electronic communications collected under 702 has no doubt furthered efforts to counter international terrorism, transnational crime, and weapons proliferation, while shaping an understanding of geopolitical relationships for U.S. policymakers.
Put simply, Section 702 allows the NSA, with judicial oversight, to collect foreign intelligence on targets reasonably believed to be overseas. However, the actual collection of this foreign intelligence will be conducted within the United States for various technical reasons, including how data packets move around the world at times transiting the United States even if it does not originate or end there, and because foreigners use U.S.-based communication platforms. This form of intelligence gathering is conducted through was is known as called downstream and upstream collection.
Downstream collection is essentially conducted through agreements with tech companies such as Google, Yahoo, AOL, Facebook and Apple responding to requests for lawful collection on foreign targets believed to be overseas. Communications are gathered in this way only if the message’s sender or receiver is a lawful foreign intelligence target, known as “to” and “from” collection.
Upstream collection involves physically tapping into the fiber optic cables and data centers that create the backbone of the internet and siphoning off data packets as they move through major telecommunication nexus points. With upstream collection, however, the NSA can capture communications that are “about” a foreign target – as well as “to” and “from” intelligence targets – meaning that a selector such as their email address is merely mentioned in the communication.
The NSA, however, recently announced that following “a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation,” it “has decided to stop some of its activities conducted under Section 702.” These changes, the agency said, mean it “will no longer include any upstream internet communications that are solely ‘about’ a foreign intelligence target.”
The NSA changes specifically apply to upstream collection. Unlike downstream collection, the physical access to data centers or fiber optic cables involved in upstream collection allows the NSA to conduct what is known as deep packet inspection to grab communications that are simply “about” a foreign intelligence target – meaning terms affiliated to that target are mentioned within the body of the communications.
The reason, as Hayden recently told The Cipher Brief, is that “if you’re using your filters for [a foreign intelligence target] to actually look at the content of emails coming by, you could occasionally pick up an email in which both the sender and the receiver were in the United States.” This is known as “inadvertent collection,” which is not authorized under Section 702. The NSA statement even suggests the changes were in part made due to “inadvertent compliance incidents related to queries involving U.S. person information.”
Chris Inglis, the former deputy director of the NSA, says, “The principal benefit of the decision is that the NSA will establish a greater margin of safety from the line separating the pursuit of national security and important privacy protections.” There is commonly an expectation the NSA will never miss anything of importance to national security, nor collect anything it is not authorized to. However, “Technically speaking, compliance is a very hard line to navigate, and the line moves,” says Inglis. “The NSA likely did a thoughtful rendering of the pros and cons and came to the conclusion that this is one of those things where discretion is the better part of valor.”
It is possible the ending of “about” collection under 702 authorities was timed as a concession to policymakers responsible for reauthorizing and perhaps amending Section 702 before it expires at the end of the year. However, Nuala O’Connor, the President and CEO of the Center for Democracy and Technology, argues “stopping ‘about’ collection will not address all the valid concerns that privacy advocates, academics, and some government officials have raised since the program was codified in 2008.”
While both “to” and “from” collection remain active, it is possible one party of the collected communications could still be a U.S. person – a phenomenon referred to as “incidental collection.” While incidental collection often leads to “minimization” procedures to protect the privacy of innocent Americans scooped up in NSA surveillance, as of this past January it is no longer conducted prior to raw signals intelligence being disseminated to other intelligence agencies.
To put the scope of 702 collection into perspective, the NSA collected from 106,469 foreign intelligence targets under Section 702 in 2016, up from 94,368 in 2015. Once the communications data is lawfully collected, it is considered pertinent to foreign intelligence and can be queried by any other intelligence agency, such as the FBI or CIA, using search terms – including those linked to U.S. persons. Last year, 5,288 terms, or selectors, belonging to U.S. persons were queried to retrieve unminimized communications content and 30,355 selectors were queried to retrieve unminimized information such as metadata. Since the decision in January to share raw NSA signals intelligence prior to minimization mentioned above, these numbers will likely go up.
With the reauthorization deadline approaching, O’Connor argues that “there are a number of reforms that can be made to 702 that do not impede the law’s intent.” Perhaps one of the more necessary reforms, according to O’Connor, would be establishing “better protections for U.S. information after it is collected,” for example, by “requiring government to get a court order before searching its vast databases for U.S. persons.”
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.