In response to growing privacy concerns about the government’s intelligence programs, President Obama outlined a series of steps last Friday aimed at ushering in “concrete and substantial” reforms to the National Security Agency (NSA).
“Americans recognized that we had to adapt to a world in which a bomb could be built in a basement and our electric grid could be shut down by operators an ocean away,” Obama said in a speech at the Justice Department. “And yet,” he added, “in our rush to respond to very real and novel threats, the risk of government overreach – the possibility that we lose some of our core civil liberties in pursuit of security – became more pronounced.”
“The reforms I’m proposing today,” the president said, “should give the American people greater confidence that their rights are being protected, even as our intelligence and law-enforcement agencies maintain the tools they need to keep us safe.”
The political challenges to implementing reform are daunting. Obama’s desire to move data out of the government’s hands places him between two unfamiliar extremes. At one end, Obama must contend with an odd mix of tea party Republicans, libertarians and civil liberties Democrats who want the government’s bulk collection of data to end. At the other end are powerful lawmakers, including the chairmen of the House and Senate intelligence committees, who have resisted any substantial changes.
Compounding this problem, however, is the confusion that persists among the American public, lawmakers, and national media about what information is being collected and under which authorities the NSA is acting. Discussion and commentary about NSA surveillance has rushed the story to the darkest corner of the room. And despite the avalanche of news stories about NSA surveillance, it seems the more we read, the less clear things are.
What follows is a detailed snapshot of what’s known and what’s been reported where. The NSA surveillance leaks pertains to two different intelligence collection programs. Although both of these programs arise from provisions of the Foreign Intelligence Surveillance Act (FISA), they rely on separate authorities, collect different types of information, and raise different policy questions. As such, it’s important to know the differences between them.
Domestic Collection of Domestic Phone Records
The first program collects and stores bulk domestic phone records that some argue could be gathered to equal effect through more focused records requests.
What information is being collected? The program collects “metadata” – which in this context refers to data about a phone call, but not the phone conversation itself. According to intelligence officials, the data are limited to the number that was dialed from, the number that was dialed to, and the date and duration of the call. Information collected does not include the location of the call (beyond the area code identified in the phone number), the content of the call, or the identity of the subscriber. Furthermore, the data must be destroyed within five years of acquisition.
What are the legal bases for the collection? Section 215 of the USA PATRIOT ACT. Specifically, Section 215 modified the business records provisions of FISA to permit the FBI to apply to the Foreign Intelligence Surveillance Court (FISC) for an order compelling a person to produce “any tangible thing,” including records held by a telecommunications provider concerning the number and length of communications, but not the contents of those communications. In 2005, Section 215 was amended to require the FBI to provide a statement of facts showing that there are “reasonable grounds to believe” that the tangible things sought are “relevant to an authorized investigation (other than a threat assessment)” into foreign intelligence, international terrorism, or espionage.
In August 2013, the Obama Administration released a whitepaper providing a legal analysis of the bulk collection of telephony metadata under Section 215. It should be noted, however, that much of the statutory language underpinning this program is ambiguous and subject to serious and concerned debate. For example, the phrases “reasonable grounds to believe” and “relevancy” are not defined by FISA, and there are no publicly available judicial opinions interpreting this language in the context of Section 215.
What oversight mechanisms are in place? According to intelligence officials, the collection of phone records in bulk is conducted pursuant to FISC orders that must be renewed every 90 days. The data are stored at NSA, and the FISC approves the procedures governing access to those data. However, while FISC reportedly requires NSA meet a “reasonable articulable suspicion” standard prior to searching the data, FISC approval is not necessary prior to searching the data already held at NSA. Rather, 22 individuals at NSA have been authorized to approve requests to query the data.
Intelligence officials have identified several additional oversight mechanisms that monitor the implementation of this program. These include (1) a report filed every 30 days with the FISC; (2) a meeting at least every 90 days between the Department of Justice (DOJ), the Office of the Director of National Intelligence (ODNI), and NSA; and (3) a semiannual report to Congress.
Domestic Collection of Foreign Internet-Related Data
The second program targets the electronic communications of non-U.S. persons while they are abroad, but also collects some communications unrelated to those targets. In Section 1801(h) of FISA, U.S. persons are defined to include U.S. citizens and legal permanent residents, as well as unincorporated associations comprised of a substantial number of U.S. persons and most domestically chartered corporations.
What information is being collected? On June 6, 2013, The Washington Post reported that “The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.” The Guardian ran a similar story that same day. These articles referred to a system called PRISM allegedly used to collect this data. Government officials and outside commentators have argued that portions of these stories are inaccurate. However, it is clear that, compared to the breadth of phone records collected under Section 215, this program is more discriminating in terms of its targets, but broader in terms of the type of information collected.
What are the legal bases for the collection? Section 702 of FISA. Prior to the enactment of Section 702 (and its predecessor in the Protect America Act of 2007), FISA only authorized sustained electronic surveillance after the issuance of a FISC order that was specific to the target. Section 702, however, permits the Attorney General (AG) and the Director of National Intelligence (DNI) to jointly authorize targeting of non-U.S. persons reasonably believed to be located outside the United States.
Acquisitions under Section 702 are geared toward electronic communications or electronically stored information, and are subject to several limitations. Specifically, an acquisition: (1) may not intentionally target any person known at the time of acquisition to be located in the United States; (2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the Untied States; (3) may not intentionally target a U.S. person reasonably believed to be located outside the United States; (4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and (5) must be conducted in a manner consistent with the Fourth Amendment to the Constitution of the United States.
The targeting and minimization procedures must be submitted to the FISC for approval. Under Section 702, if the FISC disapproves of the proposed minimization procedures, the government may revise those procedures in order to come into compliance.
What oversight mechanisms are in place? Compared to the Section 215 program, the oversight regime governing the collection of electronic communications pursuant to Section 702 is much less stringent. In accordance with the FISA Amendments Act, procedures governing the program are subject to court approval. According to the ODNI, “information is obtained with the FISA Court approval and with the knowledge of the provider based upon a written directive from the Attorney General and the Director of National Intelligence.” Actual collection of this information, however, does not require a court order, and decisions regarding whether collection is consistent with the requirements of Section 702 appear to take place largely within the DOJ and ODNI.
After data are collected, NSA is required to submit (1) a quarterly report to the FISC concerning compliance issues, (2) a semi-annual report to the FISC and Congress that assesses compliance with targeting and minimization standards, (3) a semi-annual report to the FISC and Congress on the implementation of the program, and (4) an annual review from the NSA Inspector General.
Reforming the NSA Programs
Criticism has increasingly focused on the collection of phone records pursuant to Section 215. Critics have expressed particular concern about data provided to NSA in bulk about U.S. citizens, and question whether any value from those records could have been derived from a more traditional court order. Many critics of Section 702 collection appear to acknowledge that it is a valuable tool for national security, but question whether the program has been implemented, or can be implemented, in a way that adequately protects American civil liberties.
The Obama Administration sees these programs as a “critical” component of its national security strategy. But in light of the public backlash over the programs, the administration has finally begun proposing modest changes to the NSA surveillance programs. Obama has tasked Attorney General Eric Holder and Director of National Intelligence James R. Clapper with devising a plan by March 28. But as The Wall Street Journal notes, the administration may be focused on a more significant date. In June 2015, Section 215 of the USA PATRIOT ACT, the law that underpins the program regarding the collection of domestic phone records, is set to expire.
“In some ways, the NSA controversy presents Obama with the inverse of the political problem he faced with the U.S. military prison at Guantanamo Bay, Cuba,” wrote Ellen Nakashima and Greg Miller at the WSJ. “He has spent six years trying to figure out how to shut down that facility. He may now have 18 months to find a way to preserve the NSA’s capabilities.”