Remembering Civil Liberties when Reforming Foreign Surveillance

Cyber Advisor

The NSA surveillance programs under the authorities laid out in the Foreign Intelligence and Surveillance Act (FISA) Section 702 have been making headlines since former NSA contractor Edward Snowden first leaked them in 2013. The backlash of the leaks has caused many to criticize the surveillance law for its lack of privacy protections which, in critics’ minds, could lead to infringement on American civil liberties. The law is now due to expire unless Congress passes a reauthorization bill – a number of which are now under consideration – but there are significant reforms being proposed that could change how the law is implemented.

The Cipher Brief’s Levi Maxey spoke with Chris Inglis, the former deputy director of the NSA, about what FISA Section 702 is, why it receives criticism and whether some of the reforms proposed could strengthen the law from a civil liberties perspective.

Essentially 702 focuses on the ability to collect foreign intelligence information from foreign persons who themselves are in foreign places, using U.S. infrastructure. That last part is what makes 702 so special: it attempts to regulate the collection and processing of foreign intelligence when it is on U.S. infrastructure, so that we can fully attempt to protect U.S. persons’ privacy. That is all the authority does, no more no less.

But while the explanation of what the law is intended to do may appear simple, with no implications for American civil liberties, in practice separating the communications of legitimate foreign intelligence targets from U.S. persons is difficult and incidental collection occurs – leading some to cry foul.

Incidental collection is probably one of the most misunderstood terms on the planet. To many people when they hear the term, it conjures up the idea that when you are intending to collect one communication, you somehow got a second, another. That is not what it means. What it means is that because every communication has at least two ends, if you are focused on one end of that then you are necessarily going to incidentally collect both ends. And that communication is therefore thought to be the property of two or more people. That second person is the incidental collection.

Some have demanded that the NSA immediately remove and report all incidentally collected communications belonging to a U.S. person, but doing so has its challenges.

Most of the time you have no idea who that second person is, as you are targeting the person of interest. You really don’t know his or her status until you look at the communication, and even then, it is very seldom that you know what his or her citizenship is or what their proclivities are. In order to understand that, you have to spend some time and attention thinking about them. That is the conundrum here.

When asked, does the intelligence community know how many times they incidentally collect a U.S. person, the general answer is no, because in order to know that, you would have to focus attention on that second person – in many cases, with no just cause. They have not done anything to deserve the attention of the U.S. intelligence community.

To minimize the possibility of picking up the inadvertent collection of U.S. person communications, the NSA decided in May that it would end what is known as “about” collection. Currently, the decision is merely a policy choice on the part of the NSA, but some have suggested that the change should be codified in a reauthorized FISA 702 bill. But what is “about” collection and should it be codified?

So the “about” collection, as the name implies, says that the selector that you’ll use to actually pull the communication out of the pile – as opposed to doing it “to” or “from” a target of interest, who is either the sender or the receiver – is any occurrence of the given selector in the content of the communication.  So it could be that the two parties who are in this conversation are talking about this other person.

That has been useful particularly in trying to understand terrorist networks when the person that you’re selecting on, that you know is of interest to you, is referenced by other parties. You might then determine that there is a larger network or conspiracy. That is how “about” collection came to be something that was practiced by the U.S. intelligence community.

But because that casts a wider net and because you sometimes incidentally get information associated with U.S. persons, it is then problematic. The U.S. intelligence community willingly gave up on that earlier this year despite the fact that there were conditions approved by the Foreign Intelligence Surveillance Court (FISC) under which they said it was appropriate to collect these things so long has you handle the collected materials in a certain way. The U.S. intelligence community said it thinks [this element of collection] is probably something it should give up to demonstrate that it is doing things that are essential but proportionate to that essential need.

That is not the consensus view, there are some of my former colleagues who would thoughtfully say, we are giving up a tool that has allowed us to discover terrorist networks in the past, and we better be thoughtful about why we are doing [stopping use of that tool]. That is a fair question.

Another common proposal has been closing what some have called a “backdoor” search capability whereby the FBI is able to query already lawfully collected communications data under 702 for criminal purposes unrelated to the initial collection without needing a court order.

Again, this is one of those areas where there is no consensus. Should the material collected under 702 – which has been lawfully acquired by the U.S. government – be at the disposal of the FBI if they are engaged in a lawful criminal investigation?

The discussion that rages back and forth on that is whether a) it has been lawfully searched and seized b) it has not been processed by the NSA and c) the determination of whether it really is responsive to that foreign intelligence query.

So the question is: is it appropriate to query this pile of collected communications for a purpose other than foreign intelligence? The court has ruled consistently that the answer to that question is yes.

Others would say maybe not. I am on the margins of that and if push came to shove on the survival of the 702 authorities for purposes of foreign intelligence hung by a thread, I would say that we should consider going through additional procedure to authorize those queries, when those queries on are U.S. persons. However lawful it might be to pursue a criminal investigation using the traditional methods, this material is collected for purposes of foreign intelligence, so we might want to have an additional check to make sure we are comfortable making that query.

Given the importance 702 authorities have had for U.S. national security in the past, some have argued that setting an expiration date places the discussion over renewal under fluctuating political climates, and that this is irresponsible. 

Again, my colleagues, particularly those who continue to serve in harms way, would argue strongly for an indefinite reauthorization. But I think as a matter of good policy, it is useful to compel a revisit maybe eight or ten years down the road. But we shouldn’t be on a tail chase every year or two.

You might remember that the law that established Foreign Intelligence Surveillance authority was passed in 1978, and by 2008 an amendment came into play. It was fundamentally wrong in terms of its assumption about where foreign and domestic communications were in 1978, because we thought that if a communication was in the air, it was probably satellite communication. But in 2008, that was dead wrong because if it’s in the air, it’s probably a cellular communication.

So to the extent that these laws institutionalize a current understanding of how technology is reconciled to legal practice and operational activities, it is appropriate to revisit those from time to time. I’d put an eight-year horizon on it.

While there may be changes necessary to refocus FISA Section 702 on its foreign intelligence purpose, national security experts broadly believe reauthorization of the authorities is necessary.

The 702 authorization has shown itself to be an essential collection capability for the production of legitimate foreign intelligence. No one argued in the summer of 2013 that it didn’t disrupt terrorist plots – I think the figure given in those days was 54 to be exact. There is a lot of argument as to whether it was good policy and whether it was framed the right way, but it has shown itself an essential and unique tool that allows the nation’s policymakers to do things on behalf of not just this nation but other nations. Of those 54 plots, only 13 of those were in the United States – 25 were in Europe. So, it also turns out that 702 produces a great good for multiple nations, and not just like-minded nations, but all nations of the world.

Finally, 702, as currently codified, which has been the case since 2008, is the only framing in the world – that I know of – that involves the three branches of government. The Legislative branch authorizes it through the production of the law, the Executive branch implements it, and the Judicial branch provides oversight. That is a trifecta. It doesn’t get any better than that. And there is no abuse of that, from what I know from my private knowledge inside of NSA or all the investigations that have taken place. No intentional abuse of this authority has been reported.

When you add all that up – it’s essential, it’s a vesting glass in terms of its framing, and there’s been no known abuse of it – I don’t know how you don’t authorize this for the next period of time so we can get back to business of using it as it was intended.

Cyber Advisor
Topic Areas:Tech/CyberTagged with:

Leave a Reply

Related Articles