TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Section 702: Two myths, two concerns, and two final thoughts Related reading: The AI Act's debiasing exception to the GDPR



The views represented here are solely those of the author and do not represent those of the NSA or any other organization.

On March 1, I had the privilege of testifying before Congress. The House Judiciary Committee held a hearing on the reauthorization of Section 702 of the FISA Amendments Act, which expires in December of this year. The committee organized a panel of four witnesses from academia, think tanks, and the private sector; a separate, closed session included government witnesses. Of the four of us, I was the only one who’d had direct experience working with 702 authority. I was an intelligence lawyer at the National Security Agency before and after the FAA was passed and served as the head of intelligence law for NSA until 2016, when I left the agency to go into private practice.

My written testimony is publicly available and, I hope, speaks for itself, but if I had to boil it down further, I would make six points here, any of which could be a subject all their own.

Two big myths

I often run across the belief, expressed in print or in person, that Section 702 allows for bulk collection of information and that it offers no protections whatsoever for non-U.S. persons. Both of these are urban legends; neither of them is factually correct.

702 does not allow collection of bulk data.
FAA 702 collection can only be initiated when an analyst is able to articulate, and document, a specific set of facts to meet the statutory and procedural requirements for demonstrating that: 1) a specific “facility” (such as a phone number or email address) 2) is associated with a specific user 3) who is a non-U.S. person 4) who is reasonably believed to be located outside the U.S. and 5) who is likely to possess or communicate foreign intelligence information.

Although a large number of selectors have been targeted under FAA 702, each of those facilities has been tasked for collection because on an individual, particularized basis each one of them meets the criteria noted above. 

Each annual certification is accompanied by lengthy, detailed targeting and minimization procedures, which must be reviewed by the FISC. The procedural protections include both technical and administrative controls to guard against improper collection or handling of the information. They include pre- and post-targeting checks on collection; requirements for rigorous training and testing before personnel can access 702 data; and restrictions on dissemination and use of the information. 

Second, 702 does not allow indiscriminate collection of non-US-person communication.
As the independent Privacy and Civil Liberties Oversight Board noted in its comprehensive 2014 report, 702 collection may only be directed against targets who are likely to possess, communicate, or receive foreign intelligence information. The targeting rationale must include an explanation for each facility — such as a phone number or email address — which substantiates the basis for the targeting. As has been noted by a number of intelligence professionals in their public testimony, all signals intelligence collection must be tied to, and based upon, an intelligence requirement that’s been vetted through a formal interagency process.

In other words, neither the statute nor the procedures permit random, arbitrary, or pointless targeting of anyone, even if they are non-US persons located outside the U.S.

Two concerns

Why querying for U.S. persons doesn’t amount to a “back door search.” 
Because of the tailored, documented, and carefully overseen manner in which the front-end collection is carried out, it is neither unlawful nor inappropriate for analysts to query the collected information using U.S. person identifiers when there is a legitimate basis to do so. Some critics have referred to the ability to query 702 data for U.S. person information as “back door searches.”  

Although these searches carry privacy risks, those risks are held in check by current oversight mechanisms. For example, NSA analysts must obtain prior approval to run U.S. person identifier queries in FAA 702 content; there must be a basis to believe the query is reasonably likely to return foreign intelligence information; all queries are logged and reviewed after the fact by NSA; and DoJ and ODNI review every U.S. person query run at NSA and CIA, along with the documented justifications for those queries.

As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends.

The government has a compelling national security need to carry out those searches in appropriate cases. As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends. If analysts — who work 24 hours a day, seven days a week  had to request permission from an outside body such as the Foreign Intelligence Surveillance Court before running U.S. person queries, there is a very real risk that the government would miss the critical time window for finding and acting on essential information.

Why privacy professionals should be concerned about proposals to measure the incidentally collected U.S. person communications. 
Privacy advocates have pressed the IC to count the number of U.S. person communications that are collected incidentally  swept into surveillance when a U.S. person or person in the U.S. communicates with an intelligence target. In order to assess the privacy drawbacks to doing a count like this, it’s important to understand how it would have to work. 

In typical analytic tradecraft, analysts run queries looking for intelligence information; they review those communications; and if they find something of interest, they look to see if the communication includes identifiers  such as emails or phone numbers  that they haven’t seen before. If the communication has no intelligence value, the analyst has little reason to research the identity, nationality, or location of that identifier. 

In order to determine who the unknown identifiers belong to and where those users are in the world, the analysts would need additional information. In some cases, technical data may help assist with the location determination. But technical information generally cannot identify whether the user of an email account happens to be a U.S. person located somewhere else in the world.

To count the number of U.S. person communications that are incidentally acquired under Section 702, the IC would have to find every unknown identifier in 702 communications and then analyze each one in order to determine whether they’re being used inside or outside the U.S. and whether their users might be U.S. persons. NSA does not  nor should it  collect or maintain comprehensive directories of the communications identifiers used by U.S. persons. Without such a reference database, the count of U.S. person communications would be impossible. Yet creating a comprehensive reference database of identifiers used by people who are not of any intelligence interest would constitute a significant intrusion on privacy  and unlike many other privacy risks, there is no intelligence value or gain that could offset or justify this privacy intrusion.

In addition to the privacy impacts, searching for U.S. persons who aren’t intelligence targets would cause the IC to divert significant resources away from doing their core mission of intelligence analysis.

Finally, it is unlikely that knowing the number or percentage of U.S. persons in a particular data sample would result in increased privacy protections in the future: first, because it isn’t clear whether numbers or percentages would be constant over time or across target sets; and second, because the fundamental challenge remains an intractable one: As long as foreign intelligence targets communicate with U.S. persons, there will be some instances in which those communications are incidentally intercepted. This risk is precisely the reason why Congress required, and why the government must abide by, court-approved minimization procedures designed to protect that information.

Final thoughts 

First, 702 oversight works. 
In designing this statute, Congress wisely chose to build in oversight mechanisms involving all three branches of government.  

Four committees in Congress have oversight jurisdiction of the government’s activities under Section 702: the Senate and House Select Committees on Intelligence and the Senate and House Judiciary Committees. These committees receive all government filings, hearing transcripts, and FISC orders and opinions related to the court’s consideration of the Section 702 certifications, along with reports from agency inspectors general.

The FISC also plays a critical role in oversight of the 702 program. The government must report compliance incidents to the FISC through “13(b)” notices that describe each incident of non-compliance. It’s not uncommon for the FISC to ask the government to provide supplemental information to address any questions that the court may have regarding those incidents. In addition to this ongoing oversight function, each year, the FISC reviews the government’s annual certification package, making independent determinations about whether the proposed certifications meet the necessary standards under the law; whether the targeting and minimization procedures faithfully incorporate all of the necessary restrictions; and reviewing the compliance incidents that have taken place over the past year.

The intelligence agencies have rigorous internal oversight and compliance programs, and DoJ and ODNI detailed external oversight through joint reviews of the day-to-day implementation of intelligence activities under FAA 702. These include reviewing targeting decisions; reviewing queries; reviewing disseminations of 702 data; reporting to the FISC and to Congress every instance of non-compliance that is identified; and assessing the Intelligence Community’s implementation of appropriate remedial actions to address compliance matters, including purging of non-compliant data and recalling non-compliant disseminations.

Equally important to these external checks, the use of the FAA 702 authority takes place within a deeply rooted culture of compliance.  

As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top. 

As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top.

In thirteen years at NSA, I saw mistakes that resulted from human error. I also saw instances in which technical complexity led to errors that hadn’t been foreseen. All of these were reported promptly and addressed. However, I did not see people deliberately taking actions that would abuse the trust placed in them in handling this very sensitive data. In other words, my experience was entirely consistent with the PCLOB’s finding that, “Although there have been various compliance incidents over the years, many of these incidents have involved technical issues resulting from the complexity of the program, and the Board has not seen any evidence of bad faith or misconduct.”

Second: 702 intelligence works.
While at NSA, I had the opportunity to witness firsthand the critical importance of robust intelligence information in supporting U.S. troops and in detecting terrorist plans and intentions that threatened the safety of the U.S. and its allies. Many of those instances are recent and remain classified.

However, some successes have been publicly released.

As the PCLOB noted in its report, “[O]ver a quarter of the NSA’s reports concerning international terrorism include information based in whole or in part of 702 collection, and this percentage has increased every year since the statute was enacted.” These numbers are underscored by the success stories that were presented in unclassified testimony before the Senate Committee on the Judiciary in 2016.

As I testified to Congress, it’s my belief, based on my personal experience and professional judgment, that Congress drew the balance of authority and restrictions in the right place when it enacted FAA 702 in 2008 and when it reauthorized it in 2012. This year provides an important opportunity to FAA to be carefully scrutinized once again. But as Congress continues its work, it’s worth remembering that things that aren’t broke don’t need fixing. Sometimes they just need to be extended as-is.

photo credit: t--h--s DSC_0602 via photopin (license)


If you want to comment on this post, you need to login.

  • comment Kimberley Laris • Mar 20, 2017
    Your good faith observances of application use and monitoring are appreciated. However, concern remains about the opportunity for well-funded non-accountable access, manipulation, and mass copying of sensitive data via nefarious O/S admin account override. 
    If the ability to effectively detect and correct abuse of powerful anonymous privileged administrator rights to large seas of data and software in a timely manner were more certain,  it would help trust levels. 
    A raid on administrator employee private information has been underway to capture Admin passwords, because abused O/S Administrator accounts go undetectable in an application's audit trail, circumventing the intended application's accountability design.  
    O/S administrator accounts grant what IT Security professionals call "God permissions" to applications and databases, some record O/S admin activities for monitoring (i.e., view, manipulate, or copy sensitive data for offline analysis). If nefarious override Admin activity is detected (within voluminous system activity logs), the records often prove useless because only "Admin" is recorded - not a uniquely identifiable person/device as the application would. 
    In addition, someone abusing an O/S admin account can usually turn off and delete their activity before exiting a session. 
    Due to the futility frustration, the widest data access role often remains unaccountable. There are exceptions to the rule, but they often require planning insight than most technologists are allotted time to research and money to implement. Then, many of those tools are not interoperable for entrenched application O/S's.  
    When no one with great IT power has a non-accountable footprint like Snowden, it will be reassuring to hear.  Until then, it is reasonable to expect crime on data and software assets to escalate.
  • comment Ken Mortensen • Mar 21, 2017
    I think you comment explains exactly what April states in "Why privacy professionals should be concerned about proposals to measure the incidentally collected U.S. person communications." If we were to require that the IC complete the integration of identity data for statistical measurement purposes, a new non-existent risk would be creating by obligating the IC to maintain identifiable information, of both US and non-US persons.
    While I did not work with 702 in the day-to-day aspect of what April describes as her role, my experience at DOJ in looking at the programmatic integration of privacy and security into the collection and analytical processes was one that focused on the needed information without limiting what was needed. The concepts of "minimum necessary" and layered analytics provided administrative safeguards for privacy and the oversight discussed in the article works to ensure greater transparency in the implementation of the proper process.
    To that end, I agree with April that we need to encourage Congress to let a well-designed and well-functioning law remain in operation to serve the security of this Nation and our allies.