Friday, May 13, 2016

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

On Tuesday, the Senate Judiciary Committee had a public hearing on FISA Amendments Act reauthorization, which will take place in the next year. The hearing was treated as solely the reauthorization of Section 703 of FAA. But in fact, all of Title VII needs to be reauthorized. Which is why I think Congress should reform Section 704 — or at the very least, as a whole lot more question about how it (and by association EO 12333) is used against Americans.

As a reminder, here are the parts of Title VII authorizing collection (there are also some transparency provisions):

  • 702: Permits the government to target non-US persons located overseas based only a FISA review of broad certifications; includes PRISM and upstream
  • 703: Requires NSA to obtain an individualized order when targeting electronic communications of US persons overseas; this is basically for collection on US persons overseas with the assistance of providers in the US
  • 704: Requires NSA to obtain an individualized order when targeting US persons overseas using means for which they’d have a reasonable expectation of privacy in the US
  • 705a: Permits the government to apply for joint applications, effectively permitting them to do both 703 and 704 authorized spying
  • 705b: Permits the Attorney General to approve spying for US persons targeted under traditional FISA when they are located overseas

My interest in Section 704 stems from a fact that no one appears to know: NSA doesn’t use Section 703 of FAA. At all.

There’s a still-unreleased Snowden document that states that explicitly (something to the effect of, “to date [which date was probably 2012], the NSA has not used this authority.” But even some public documents make this clear. For example, the Q1 2012 Intelligence Oversight Board report, which broke out reporting for all FISA authorities used (the hidden authority is probably Title IV), lists only 704 and 705b, not 703 or 705a. More starkly, a 2010 NSA IG Report (PDF 10) discussing FISA authorities only names traditional FISA, Section 704, and Section 705b, which may mean 705a is not used either.

Screen Shot 2016-05-13 at 3.38.08 AM

I’ve been asking what this means since I first figured this out (so for two years) and not a single person has been able to explain it to me. To be fair, most simply don’t believe me that Section 703 is not used and so just blow off my question.

I think this means one (or a combination) of several things:

  • No surveillance of Americans overseas takes place with the assistance of US providers (which would trigger 703)
  • The government has some interpretation — perhaps a corollary to their claim that Americans have no expectation of privacy for any international communications — that claims they can use a lower standard for people overseas
  • The government uses traditional FISA even on people located overseas

I used to think it was this last one: that the government just went through the trouble of getting a traditional order every time it targeted a US person, meaning they’d also give the person full FISA notice if that person were prosecuted. Except using a traditional order to target an American overseas is actually a violation (!) that gets reported to IOB.

If it’s not that, then you would think it’d have to be the wacky interpretation, the middle option. After all, Americans are at least as likely to use Gmail as foreigners are, so to get the Gmail of Americans overseas, the NSA would presumably ask Google for assistance, and therefore trigger 703. That said, there are things that make it clear NSA has a great deal of redundancy in its collection, even with PRISM collection, which makes it clear they do double dip, obtaining even Gmail overseas and domestically (which is why they’d have GCHQ hack Google’s overseas fiber). It’s possible, though, that the NSA conducts so much bulk collection overseas it is actually easier (or legally more permissive) to just collect US person content from bulk collections obtained overseas, thereby bypassing any domestic provider and onerous legal notice. I suppose it’s also possible that NSA now uses 703 (my proof they don’t dates to 2012 or earlier), having had to resort to playing by the rules as more providers lock up their data better in the wake of the Snowden revelations. (Note, Mieke Eoyang has an interesting FAA suggestion that would require exclusivity when NSA accesses content from US providers.)

My first point, then, in raising 704 is to say Congress and advocates should use this opportunity to figure out which of these options it is. Why is it that members of Congress still brag about having got NSA to accede to 703 when 703 is not used? What does it mean that they’re not using it?

But here’s my other concern. If the first option is the answer — that is, if overseas collection is so thorough that NSA can collect on someone, if there are reasons to, without using any provider, it means there’s a shit-ton of American content — both of people located in the US and overseas — accessible in NSA’s collections. We knew that. But it’d say even US provider content is available in great volume (which would be doable for any of them not using encryption in motion).

My other concern is that Americans overseas may actually have more protections than Americans in the US.

FISA is pretty strict about location: the 700s only apply to people overseas, except for 705b, which is supposed to be tied to someone mostly in the US but heading to China on a business trip. Screwing that up is a violation that gets reported to the IOB.

Add to that the fact that (as I understand it) NSA can access already-collected US person content collected under EO 12333 with the approval of the Attorney General.

If I’m right about all this (a big if, given how little anyone knows about this), then it would say accessing the bulk collected communications of an American overseas would require a 704 order, whereas accessing the bulk collected communications of an American who was herself located in the US, but whose communications were located overseas, would only require AG approval. That can’t be right, can it? Perhaps 704 gives the government some added authorities, such as the ability to target someone using XKeyscore. But we know NSA has collected “vast troves” of US person data overseas, and we know that Assistant Attorney General John Carlin doesn’t think his department should oversee that collection at all! Carlin stated clearly in February 2014 that even “vast troves” of US person data collected “incidentally” (which, under bulk collection, would mean all of it transiting overseas) get no FISA protection.

So in addition to politely requesting that Congress figures out how it is that NSA doesn’t use Section 703, at all, I’d also like to politely suggest that 704 protections or the equivalent be extended to Americans who are located in the US but whose communications have gone to Europe without them.

There has been a lot of discussion about how the NSA accesses the content of US persons who are themselves located in the US but whose communications get collected “overseas.” That has been treated as an EO 12333 issue (and as such, something that would take pulling teeth to get the Executive to agree to change). But there’s a mirror image of that problem, I think, in the Section 704 question. So perhaps shoring up Section 704 is the way to deal with both?

No comments:

Post a Comment

To reduce spam, this alternate site requires users register to comment or use OpenID. Comments on posts more than (5) days old subject to moderation. Comments posted at this site will not appear at the original/primary site.