The views represented here are solely those of the author and do not represent those of the NSA or any other organization.
On March 1, I had the privilege of testifying before Congress. The House Judiciary Committee held a hearing on the reauthorization of Section 702 of the FISA Amendments Act, which expires in December of this year. The committee organized a panel of four witnesses from academia, think tanks, and the private sector; a separate, closed session included government witnesses. Of the four of us, I was the only one who’d had direct experience working with 702 authority. I was an intelligence lawyer at the National Security Agency before and after the FAA was passed and served as the head of intelligence law for NSA until 2016, when I left the agency to go into private practice.
My written testimony is publicly available and, I hope, speaks for itself, but if I had to boil it down further, I would make six points here, any of which could be a subject all their own.
Two big myths
I often run across the belief, expressed in print or in person, that Section 702 allows for bulk collection of information and that it offers no protections whatsoever for non-U.S. persons. Both of these are urban legends; neither of them is factually correct.
702 does not allow collection of bulk data.
FAA 702 collection can only be initiated when an analyst is able to articulate, and document, a specific set of facts to meet the statutory and procedural requirements for demonstrating that: 1) a specific “facility” (such as a phone number or email address) 2) is associated with a specific user 3) who is a non-U.S. person 4) who is reasonably believed to be located outside the U.S. and 5) who is likely to possess or communicate foreign intelligence information.
Although a large number of selectors have been targeted under FAA 702, each of those facilities has been tasked for collection because on an individual, particularized basis each one of them meets the criteria noted above.
Each annual certification is accompanied by lengthy, detailed targeting and minimization procedures, which must be reviewed by the FISC. The procedural protections include both technical and administrative controls to guard against improper collection or handling of the information. They include pre- and post-targeting checks on collection; requirements for rigorous training and testing before personnel can access 702 data; and restrictions on dissemination and use of the information.
Second, 702 does not allow indiscriminate collection of non-US-person communication.
As the independent Privacy and Civil Liberties Oversight Board noted in its comprehensive 2014 report, 702 collection may only be directed against targets who are likely to possess, communicate, or receive foreign intelligence information. The targeting rationale must include an explanation for each facility — such as a phone number or email address — which substantiates the basis for the targeting. As has been noted by a number of intelligence professionals in their public testimony, all signals intelligence collection must be tied to, and based upon, an intelligence requirement that’s been vetted through a formal interagency process.
In other words, neither the statute nor the procedures permit random, arbitrary, or pointless targeting of anyone, even if they are non-US persons located outside the U.S.
Two concerns
Why querying for U.S. persons doesn’t amount to a “back door search.”
Because of the tailored, documented, and carefully overseen manner in which the front-end collection is carried out, it is neither unlawful nor inappropriate for analysts to query the collected information using U.S. person identifiers when there is a legitimate basis to do so. Some critics have referred to the ability to query 702 data for U.S. person information as “back door searches.”
Although these searches carry privacy risks, those risks are held in check by current oversight mechanisms. For example, NSA analysts must obtain prior approval to run U.S. person identifier queries in FAA 702 content; there must be a basis to believe the query is reasonably likely to return foreign intelligence information; all queries are logged and reviewed after the fact by NSA; and DoJ and ODNI review every U.S. person query run at NSA and CIA, along with the documented justifications for those queries.
As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends.
The government has a compelling national security need to carry out those searches in appropriate cases. As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends. If analysts — who work 24 hours a day, seven days a week — had to request permission from an outside body such as the Foreign Intelligence Surveillance Court before running U.S. person queries, there is a very real risk that the government would miss the critical time window for finding and acting on essential information.
Why privacy professionals should be concerned about proposals to measure the incidentally collected U.S. person communications.
Privacy advocates have pressed the IC to count the number of U.S. person communications that are collected incidentally — swept into surveillance when a U.S. person or person in the U.S. communicates with an intelligence target. In order to assess the privacy drawbacks to doing a count like this, it’s important to understand how it would have to work.
In typical analytic tradecraft, analysts run queries looking for intelligence information; they review those communications; and if they find something of interest, they look to see if the communication includes identifiers — such as emails or phone numbers — that they haven’t seen before. If the communication has no intelligence value, the analyst has little reason to research the identity, nationality, or location of that identifier.
In order to determine who the unknown identifiers belong to and where those users are in the world, the analysts would need additional information. In some cases, technical data may help assist with the location determination. But technical information generally cannot identify whether the user of an email account happens to be a U.S. person located somewhere else in the world.
To count the number of U.S. person communications that are incidentally acquired under Section 702, the IC would have to find every unknown identifier in 702 communications and then analyze each one in order to determine whether they’re being used inside or outside the U.S. and whether their users might be U.S. persons. NSA does not — nor should it — collect or maintain comprehensive directories of the communications identifiers used by U.S. persons. Without such a reference database, the count of U.S. person communications would be impossible. Yet creating a comprehensive reference database of identifiers used by people who are not of any intelligence interest would constitute a significant intrusion on privacy — and unlike many other privacy risks, there is no intelligence value or gain that could offset or justify this privacy intrusion.
In addition to the privacy impacts, searching for U.S. persons who aren’t intelligence targets would cause the IC to divert significant resources away from doing their core mission of intelligence analysis.
Finally, it is unlikely that knowing the number or percentage of U.S. persons in a particular data sample would result in increased privacy protections in the future: first, because it isn’t clear whether numbers or percentages would be constant over time or across target sets; and second, because the fundamental challenge remains an intractable one: As long as foreign intelligence targets communicate with U.S. persons, there will be some instances in which those communications are incidentally intercepted. This risk is precisely the reason why Congress required, and why the government must abide by, court-approved minimization procedures designed to protect that information.
Final thoughts
First, 702 oversight works.
In designing this statute, Congress wisely chose to build in oversight mechanisms involving all three branches of government.
Four committees in Congress have oversight jurisdiction of the government’s activities under Section 702: the Senate and House Select Committees on Intelligence and the Senate and House Judiciary Committees. These committees receive all government filings, hearing transcripts, and FISC orders and opinions related to the court’s consideration of the Section 702 certifications, along with reports from agency inspectors general.
The FISC also plays a critical role in oversight of the 702 program. The government must report compliance incidents to the FISC through “13(b)” notices that describe each incident of non-compliance. It’s not uncommon for the FISC to ask the government to provide supplemental information to address any questions that the court may have regarding those incidents. In addition to this ongoing oversight function, each year, the FISC reviews the government’s annual certification package, making independent determinations about whether the proposed certifications meet the necessary standards under the law; whether the targeting and minimization procedures faithfully incorporate all of the necessary restrictions; and reviewing the compliance incidents that have taken place over the past year.
The intelligence agencies have rigorous internal oversight and compliance programs, and DoJ and ODNI detailed external oversight through joint reviews of the day-to-day implementation of intelligence activities under FAA 702. These include reviewing targeting decisions; reviewing queries; reviewing disseminations of 702 data; reporting to the FISC and to Congress every instance of non-compliance that is identified; and assessing the Intelligence Community’s implementation of appropriate remedial actions to address compliance matters, including purging of non-compliant data and recalling non-compliant disseminations.
Equally important to these external checks, the use of the FAA 702 authority takes place within a deeply rooted culture of compliance.
As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top.
As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top.
In thirteen years at NSA, I saw mistakes that resulted from human error. I also saw instances in which technical complexity led to errors that hadn’t been foreseen. All of these were reported promptly and addressed. However, I did not see people deliberately taking actions that would abuse the trust placed in them in handling this very sensitive data. In other words, my experience was entirely consistent with the PCLOB’s finding that, “Although there have been various compliance incidents over the years, many of these incidents have involved technical issues resulting from the complexity of the program, and the Board has not seen any evidence of bad faith or misconduct.”
Second: 702 intelligence works.
While at NSA, I had the opportunity to witness firsthand the critical importance of robust intelligence information in supporting U.S. troops and in detecting terrorist plans and intentions that threatened the safety of the U.S. and its allies. Many of those instances are recent and remain classified.
However, some successes have been publicly released.
As the PCLOB noted in its report, “[O]ver a quarter of the NSA’s reports concerning international terrorism include information based in whole or in part of 702 collection, and this percentage has increased every year since the statute was enacted.” These numbers are underscored by the success stories that were presented in unclassified testimony before the Senate Committee on the Judiciary in 2016.
As I testified to Congress, it’s my belief, based on my personal experience and professional judgment, that Congress drew the balance of authority and restrictions in the right place when it enacted FAA 702 in 2008 and when it reauthorized it in 2012. This year provides an important opportunity to FAA to be carefully scrutinized once again. But as Congress continues its work, it’s worth remembering that things that aren’t broke don’t need fixing. Sometimes they just need to be extended as-is.