The National Security Agency recently announced changes to its intelligence collection practices under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The Cipher Brief spoke with Chris Inglis, the former deputy director of the NSA, about what these changes mean, why they might have come about, and how significant they are moving forward.
The Cipher Brief: Could you explain what authorities are granted under FISA Section 702?
Chris Inglis: Well you wouldn’t be surprised to find that it’s complicated but here’s a reasonably compact version of how it works.
Authorization and oversight of the intelligence community today is comprised of laws, policies and procures that involve all three branches of government. But that’s a relatively recent practice.
For much of the period from the 1940s through the late 1970s, the executive branch was the predominant branch providing guidance and oversight. Motivated in part by the congressional findings of the Church-Pike investigations of the mid 1970’s, the executive branch issued Executive Order 12333 in 1981 to delineate and clarify intelligence authorities for agencies like the NSA and CIA for the collection and handling of foreign intelligence.
Meanwhile, as globally dispersed telecommunication systems began to interconnect and the communications they transmitted began to show up in lots of different places, it became technically possible for NSA to conduct foreign intelligence collection in the United States, despite the fact that the communication itself started and ended somewhere overseas. So in 1978 the Foreign Intelligence and Surveillance Court (FISC) was created by the Foreign Intelligence Surveillance Act to add judicial oversight for those foreign intelligence activities where there was an increased possibility of encountering U.S. person data.
FISA Section 702, defined in the amendment of the original FISA in 2008 (the result is often referred to as “FAA” or the “FISA Amendments Act”), sustained judicial oversight of the intelligence community’s collection of foreign intelligence from U.S. infrastructure and reads roughly as follows. Under Section 702, the U.S. intelligence community can collect foreign intelligence from U.S. infrastructure when the intelligence sought is foreign, not domestic, intelligence, and the parties whose communications are targeted are physically located in a foreign place – note that this means that NSA could have collected this information using EO12333 authorization if they moved the point of collection overseas – but the actual collection of these communications takes place in the United States. Again, the distinction here is that under 702, NSA employs legislative authority (FISA) with judicial (FISC) and executive branch oversight. Think of it as “belts, suspenders, and Velcro” for those situations where extra caution is required to ensure the protection of U.S. person privacy.
This essentially means that, to use a 702 collection authority, the communication the NSA is after starts overseas, in most cases ends overseas, that the person NSA is interested in is overseas, but the communication they are capturing is presently in the United States. Why does this make sense? Because targets of foreign intelligence surveillance sometimes use U.S.-based communication systems.
So, in practical terms, given the possibility that collection of foreign-to-foreign communications from U.S. infrastructure could implicate U.S. persons’ communications, the FISC stands in to provide additional oversight. And while there must be care taken to ensure innocent foreigners have protection (President Obama clarified these protections in an executive order in early 2014), the FISC’s main purpose is to provide oversight in how the NSA protects U.S. persons while conducting foreign intelligence.
For completeness’ sake, different provisions of the FISA – to include sections 703 and 704 – offer different variations in how the intelligence community can pursue foreign intelligence. Some do allow for the possibility that the intelligence community could target U.S. persons – something they cannot do using section 702. In any event, NSA can only target the content of a U.S. person’s communications under a probable cause determination, as is described in sections 703 or 704 of the FISA – which are almost never used.
TCB: What does the recent announcement by the NSA mean and how significant is it?
CI: The announcement refers to NSA's "about" collection. With the approval of the FISC, NSA was authorized to task "upstream" for the mention of a foreign intelligence target.
Quoting from the NSA press release:
Under Section 702, NSA collects internet communications in two ways: “downstream” (previously referred to as PRISM) and “upstream.” Under downstream collection, NSA acquires communications ‘to or from’ a Section 702 selector (such as an email address). Under upstream collection, NSA acquires communications “to, from, or about” a Section 702 selector. An example of an “about” email communication is one that includes the targeted email address in the text or body of the email, even though the email is between two persons who are not themselves targets.
Under the recently announced change, NSA will now limit upstream collection to internet communications that are sent directly to or from a foreign target. More specifically, the agency will no longer collect communications that only mention a selector of interest.
To understand the impact of this decision, it’s useful to consider the role of “about” collection. "About" upstream collection is useful to reveal persons or organizations who may be associated with a terrorist network, but it is not without risk. To that end, given the possibility that such collection might inadvertently collect U.S. person communications, strict limits were previously placed by the FISC on the handling of collected materials, to include how it could be searched, stored, and used to build intelligence understanding of legitimate foreign intelligence issues.
While the cessation of "about" collection will introduce a small risk of missing legitimate foreign intelligence that would reveal threats to the nation's security, I think the decision is a good idea.
The principal benefit of the decision is that NSA will establish a greater margin of safety from the line separating the pursuit of national security and important privacy protections. While NSA unquestionably acknowledges the importance of that line, it is technically a very difficult one to navigate.
To give you a sense of the challenge: The FISC, Congress, and the executive branch, desire 100 percent confidence that NSA will never collect something it shouldn't. That is the right and appropriate goal, but roiling technology and changing user behavior make that very challenging. So with an expectation NSA will be exhaustive in its description of how things will work and perfect in its execution of same, the best it can do is to be illustrative in the former and diligent in the latter. If that standard of performance isn't good enough, then the NSA needs a bigger margin of safety.
Borrowing from General Michael Hayden's “play to line” analogy, if we want to play to a line that's constantly moving and never wind up on the wrong side of it, it's a smart play to install a greater margin of safety.
TCB: Do you see this move by the NSA as a concession for the reauthorization of 702 authorities at the end of the year?
CI: This is consistent with past practice, where the NSA constantly assesses the pros and cons of sustaining a particular kind of collection. For example, even before [Edward] Snowden [a former NSA contractor turned leaker] came out, the NSA gave up on the collection of email metadata that was the equivalent of the telephone metadata collected under Section 215 of the Patriot Act. That was the result of a pros-and-cons evaluation.
So I don’t think this is a concession per se going forward. Frankly, the Administration and the NSA believe that they have a case based on merit, not politics. Whether that is thrown into the swirl of political rhetoric, who knows, but I don’t think the calculation here is to put a program on the table as an opening to a negotiation that hasn’t yet taken place. That said, I do hope that this decision will be taken as evidence that NSA and the Administration actually do weigh the pros and cons of their various authorities, mindful of the Constitution’s imperative to pursue all of its stated aims, in this case national security and the defense of privacy.
TCB: Will this change adversely affect NSA’s ability to conduct its counterterrorism, counterintelligence, and counterproliferation missions?
CI: There is some unique contribution made by “about” collection, but it is relatively small, and therefore it is not one of those things you could say is a make-or-break proposition for NSA. However, the standard is sometimes perceived in the United States as zero-tolerance for missing something. If that is the true standard, then this will affect how well the NSA is able to determine connections between national security threats.
TCB: Now that there is more certainty that the communications of U.S. persons aren’t picked up after these changes, is there a relaxation of restrictions on querying the data for U.S. selectors?
CI: No, those constraints remain what they were. Some would say they are just as egregious as they were and others would say they are just as responsible as they were. So all sides essentially don’t see a difference in the queries. That said, given that the court’s earlier restrictions regarding how NSA could query data collected under “about” collection – in order to address the possibility of inadvertent collection of U.S. person data – I wouldn’t be surprised to see a relaxation of those particular rules.
To clarify, the queries we’re referring to here are those that are permitted against material collected under 702 authority – which is generally the content of communications (more than metadata). The FISC has provided that the NSA, or other intelligence agencies, can search that content, even for U.S. selectors. The FISC’s presumption is that if the intelligence community has collected data shown to be responsive to a foreign intelligence collection task, and they want to query that data in pursuit of a legitimate foreign intelligence issue, then it is reasonable and appropriate to be efficient and effective in their pursuit of that information. But NSA has to show that the queries of data collected under 702 will retrieve foreign intelligence information as opposed to something else. This has not changed with the NSA giving up “about” collection.
TCB: Do you think recent accusations of “unmasking” coming from members of Congress and the rhetoric against the NSA’s intelligence practices from the Trump Administration had anything to do with the decision to stop “about” collection?
CI: It is impossible to make these kinds of choices without knowledge of that larger dialogue, but I don’t think the unmasking debate has unduly influenced this decision. I imagine, with high confidence, this decision was made solely in the context of compliance incidents of the last year or two.
Technically speaking, compliance it is a very hard line to navigate, and the line moves. I think the NSA likely did a thoughtful rendering of the pros and cons and came to the conclusion that this is one of those things where discretion is the better part of valor. It also shows that they are as committed to the defense of privacy as they are to the pursuit of national security. They are obligated to do both and I think it is as simple as that.
Now it is not beyond the NSA to imagine that having been thoughtful and reasonable in this instance, that they will then be given some greater credibility when they say that “this” – whatever that might be – “is really important.” That has got to be part of the dialogue.
As far as the Administration’s role, I have no doubt that there was thoughtful and extensive dialogue with the Department of Justice’s National Security Division, the Director of National Intelligence, and other oversight mechanisms are already in place within the executive branch.
When it comes down to it, I think the NSA made this choice on merit.
