MetaCompliance_Webcon
PrivacyCore_ad_300x250-01
PrivacyTraining_ad300x250.Promo1-01
Section 702: Two myths, two concerns, and two final thoughts

The views represented here are solely those of the author and do not represent those of the NSA or any other organization.

On March 1, I had the privilege of testifying before Congress. The House Judiciary Committee held a hearing on the reauthorization of Section 702 of the FISA Amendments Act, which expires in December of this year. The committee organized a panel of four witnesses from academia, think tanks, and the private sector; a separate, closed session included government witnesses. Of the four of us, I was the only one who’d had direct experience working with 702 authority. I was an intelligence lawyer at the National Security Agency before and after the FAA was passed and served as the head of intelligence law for NSA until 2016, when I left the agency to go into private practice.

My written testimony is publicly available and, I hope, speaks for itself, but if I had to boil it down further, I would make six points here, any of which could be a subject all their own.

Two big myths

I often run across the belief, expressed in print or in person, that Section 702 allows for bulk collection of information and that it offers no protections whatsoever for non-U.S. persons. Both of these are urban legends; neither of them is factually correct.

702 does not allow collection of bulk data.
FAA 702 collection can only be initiated when an analyst is able to articulate, and document, a specific set of facts to meet the statutory and procedural requirements for demonstrating that: 1) a specific “facility” (such as a phone number or email address) 2) is associated with a specific user 3) who is a non-U.S. person 4) who is reasonably believed to be located outside the U.S. and 5) who is likely to possess or communicate foreign intelligence information.

Although a large number of selectors have been targeted under FAA 702, each of those facilities has been tasked for collection because on an individual, particularized basis each one of them meets the criteria noted above. 

Each annual certification is accompanied by lengthy, detailed targeting and minimization procedures, which must be reviewed by the FISC. The procedural protections include both technical and administrative controls to guard against improper collection or handling of the information. They include pre- and post-targeting checks on collection; requirements for rigorous training and testing before personnel can access 702 data; and restrictions on dissemination and use of the information. 

Second, 702 does not allow indiscriminate collection of non-US-person communication.
As the independent Privacy and Civil Liberties Oversight Board noted in its comprehensive 2014 report, 702 collection may only be directed against targets who are likely to possess, communicate, or receive foreign intelligence information. The targeting rationale must include an explanation for each facility — such as a phone number or email address — which substantiates the basis for the targeting. As has been noted by a number of intelligence professionals in their public testimony, all signals intelligence collection must be tied to, and based upon, an intelligence requirement that’s been vetted through a formal interagency process.

In other words, neither the statute nor the procedures permit random, arbitrary, or pointless targeting of anyone, even if they are non-US persons located outside the U.S.

Two concerns

Why querying for U.S. persons doesn’t amount to a “back door search.” 
Because of the tailored, documented, and carefully overseen manner in which the front-end collection is carried out, it is neither unlawful nor inappropriate for analysts to query the collected information using U.S. person identifiers when there is a legitimate basis to do so. Some critics have referred to the ability to query 702 data for U.S. person information as “back door searches.”  

Although these searches carry privacy risks, those risks are held in check by current oversight mechanisms. For example, NSA analysts must obtain prior approval to run U.S. person identifier queries in FAA 702 content; there must be a basis to believe the query is reasonably likely to return foreign intelligence information; all queries are logged and reviewed after the fact by NSA; and DoJ and ODNI review every U.S. person query run at NSA and CIA, along with the documented justifications for those queries.

As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends.

The government has a compelling national security need to carry out those searches in appropriate cases. As an IC lawyer for many years, I know how often urgent, time-sensitive operational questions come up in the middle of the night and on weekends. If analysts — who work 24 hours a day, seven days a week  had to request permission from an outside body such as the Foreign Intelligence Surveillance Court before running U.S. person queries, there is a very real risk that the government would miss the critical time window for finding and acting on essential information.

Why privacy professionals should be concerned about proposals to measure the incidentally collected U.S. person communications. 
Privacy advocates have pressed the IC to count the number of U.S. person communications that are collected incidentally  swept into surveillance when a U.S. person or person in the U.S. communicates with an intelligence target. In order to assess the privacy drawbacks to doing a count like this, it’s important to understand how it would have to work. 

In typical analytic tradecraft, analysts run queries looking for intelligence information; they review those communications; and if they find something of interest, they look to see if the communication includes identifiers  such as emails or phone numbers  that they haven’t seen before. If the communication has no intelligence value, the analyst has little reason to research the identity, nationality, or location of that identifier. 

In order to determine who the unknown identifiers belong to and where those users are in the world, the analysts would need additional information. In some cases, technical data may help assist with the location determination. But technical information generally cannot identify whether the user of an email account happens to be a U.S. person located somewhere else in the world.

To count the number of U.S. person communications that are incidentally acquired under Section 702, the IC would have to find every unknown identifier in 702 communications and then analyze each one in order to determine whether they’re being used inside or outside the U.S. and whether their users might be U.S. persons. NSA does not  nor should it  collect or maintain comprehensive directories of the communications identifiers used by U.S. persons. Without such a reference database, the count of U.S. person communications would be impossible. Yet creating a comprehensive reference database of identifiers used by people who are not of any intelligence interest would constitute a significant intrusion on privacy  and unlike many other privacy risks, there is no intelligence value or gain that could offset or justify this privacy intrusion.

In addition to the privacy impacts, searching for U.S. persons who aren’t intelligence targets would cause the IC to divert significant resources away from doing their core mission of intelligence analysis.

Finally, it is unlikely that knowing the number or percentage of U.S. persons in a particular data sample would result in increased privacy protections in the future: first, because it isn’t clear whether numbers or percentages would be constant over time or across target sets; and second, because the fundamental challenge remains an intractable one: As long as foreign intelligence targets communicate with U.S. persons, there will be some instances in which those communications are incidentally intercepted. This risk is precisely the reason why Congress required, and why the government must abide by, court-approved minimization procedures designed to protect that information.

Final thoughts 

First, 702 oversight works. 
In designing this statute, Congress wisely chose to build in oversight mechanisms involving all three branches of government.  

Four committees in Congress have oversight jurisdiction of the government’s activities under Section 702: the Senate and House Select Committees on Intelligence and the Senate and House Judiciary Committees. These committees receive all government filings, hearing transcripts, and FISC orders and opinions related to the court’s consideration of the Section 702 certifications, along with reports from agency inspectors general.

The FISC also plays a critical role in oversight of the 702 program. The government must report compliance incidents to the FISC through “13(b)” notices that describe each incident of non-compliance. It’s not uncommon for the FISC to ask the government to provide supplemental information to address any questions that the court may have regarding those incidents. In addition to this ongoing oversight function, each year, the FISC reviews the government’s annual certification package, making independent determinations about whether the proposed certifications meet the necessary standards under the law; whether the targeting and minimization procedures faithfully incorporate all of the necessary restrictions; and reviewing the compliance incidents that have taken place over the past year.

The intelligence agencies have rigorous internal oversight and compliance programs, and DoJ and ODNI detailed external oversight through joint reviews of the day-to-day implementation of intelligence activities under FAA 702. These include reviewing targeting decisions; reviewing queries; reviewing disseminations of 702 data; reporting to the FISC and to Congress every instance of non-compliance that is identified; and assessing the Intelligence Community’s implementation of appropriate remedial actions to address compliance matters, including purging of non-compliant data and recalling non-compliant disseminations.

Equally important to these external checks, the use of the FAA 702 authority takes place within a deeply rooted culture of compliance.  

As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top. 

As someone who, today, advises private-sector entities on cybersecurity and privacy, I’m well attuned to the fact that one of the most important factors in a successful privacy or compliance program is maintaining a culture of compliance, and setting that tone from the top.

In thirteen years at NSA, I saw mistakes that resulted from human error. I also saw instances in which technical complexity led to errors that hadn’t been foreseen. All of these were reported promptly and addressed. However, I did not see people deliberately taking actions that would abuse the trust placed in them in handling this very sensitive data. In other words, my experience was entirely consistent with the PCLOB’s finding that, “Although there have been various compliance incidents over the years, many of these incidents have involved technical issues resulting from the complexity of the program, and the Board has not seen any evidence of bad faith or misconduct.”

Second: 702 intelligence works.
While at NSA, I had the opportunity to witness firsthand the critical importance of robust intelligence information in supporting U.S. troops and in detecting terrorist plans and intentions that threatened the safety of the U.S. and its allies. Many of those instances are recent and remain classified.

However, some successes have been publicly released.

As the PCLOB noted in its report, “[O]ver a quarter of the NSA’s reports concerning international terrorism include information based in whole or in part of 702 collection, and this percentage has increased every year since the statute was enacted.” These numbers are underscored by the success stories that were presented in unclassified testimony before the Senate Committee on the Judiciary in 2016.

As I testified to Congress, it’s my belief, based on my personal experience and professional judgment, that Congress drew the balance of authority and restrictions in the right place when it enacted FAA 702 in 2008 and when it reauthorized it in 2012. This year provides an important opportunity to FAA to be carefully scrutinized once again. But as Congress continues its work, it’s worth remembering that things that aren’t broke don’t need fixing. Sometimes they just need to be extended as-is.

photo credit: t--h--s DSC_0602 via photopin (license)

Written By

April Doss, CIPP/US

2 Comments

If you want to comment on this post, you need to login.

  • Kimberley Laris Mar 20, 2017

    Your good faith observances of application use and monitoring are appreciated. However, concern remains about the opportunity for well-funded non-accountable access, manipulation, and mass copying of sensitive data via nefarious O/S admin account override. 
    
    If the ability to effectively detect and correct abuse of powerful anonymous privileged administrator rights to large seas of data and software in a timely manner were more certain,  it would help trust levels. 
    
    A raid on administrator employee private information has been underway to capture Admin passwords, because abused O/S Administrator accounts go undetectable in an application's audit trail, circumventing the intended application's accountability design.  
    
    O/S administrator accounts grant what IT Security professionals call "God permissions" to applications and databases, some record O/S admin activities for monitoring (i.e., view, manipulate, or copy sensitive data for offline analysis). If nefarious override Admin activity is detected (within voluminous system activity logs), the records often prove useless because only "Admin" is recorded - not a uniquely identifiable person/device as the application would. 
    
    In addition, someone abusing an O/S admin account can usually turn off and delete their activity before exiting a session. 
    
    Due to the futility frustration, the widest data access role often remains unaccountable. There are exceptions to the rule, but they often require planning insight than most technologists are allotted time to research and money to implement. Then, many of those tools are not interoperable for entrenched application O/S's.  
    
    When no one with great IT power has a non-accountable footprint like Snowden, it will be reassuring to hear.  Until then, it is reasonable to expect crime on data and software assets to escalate.
  • Ken Mortensen Mar 21, 2017

    Kimberley, 
    
    I think you comment explains exactly what April states in "Why privacy professionals should be concerned about proposals to measure the incidentally collected U.S. person communications." If we were to require that the IC complete the integration of identity data for statistical measurement purposes, a new non-existent risk would be creating by obligating the IC to maintain identifiable information, of both US and non-US persons.
    
    While I did not work with 702 in the day-to-day aspect of what April describes as her role, my experience at DOJ in looking at the programmatic integration of privacy and security into the collection and analytical processes was one that focused on the needed information without limiting what was needed. The concepts of "minimum necessary" and layered analytics provided administrative safeguards for privacy and the oversight discussed in the article works to ensure greater transparency in the implementation of the proper process.
    
    To that end, I agree with April that we need to encourage Congress to let a well-designed and well-functioning law remain in operation to serve the security of this Nation and our allies.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»