The 6-Month Review
In Lichtblau and Risen’s piece on the ongoing warrantless wiretap problems, they report that the problems were identified in preparation of a semiannual review of the warrantless wiretap program.
The overcollection problems appear to have been uncovered as part of a twice-annual certification that the Justice Department and the director of national intelligence are required to give to the Foreign Intelligence Surveillance Court on the protocols that the N.S.A. is using in wiretapping. That review, officials said, began in the waning days of the Bush administration and was continued by the Obama administration. It led intelligence officials to realize that the N.S.A. was improperly capturing information involving significant amounts of American traffic.
Best as I can tell, this is the semiannual assessment in question.
‘‘(1) SEMIANNUAL ASSESSMENT.—Not less frequently than once every 6 months, the Attorney General and Director of National Intelligence shall assess compliance with the targeting and minimization procedures adopted in accordance with subsections (d) and (e) and the guidelines adopted in accordance with subsection (f) and shall submit each assessment to—
‘‘(A) the Foreign Intelligence Surveillance Court; and
‘‘(B) consistent with the Rules of the House of Representatives, the Standing Rules of the Senate, and Senate Resolution 400 of the 94th Congress or any successor Senate resolution—
‘‘(i) the congressional intelligence committees; and
‘‘(ii) the Committees on the Judiciary of the House of Representatives and the Senate.
So, basically, every six months, the DNI and AG need to look at the program and see whether the NSA is complying with the targeting and minimization requirements of the law.
The targeting language basically says NSA cannot intentionally target US persons.
‘‘(b) LIMITATIONS.—An acquisition authorized under subsection (a)—
‘‘(1) may not intentionally target any person known at the time of acquisition to be located in the United States;
‘‘(2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;
‘‘(3) may not intentionally target a United States person reasonably believed to be located outside the United States;
‘‘(4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and
‘‘(5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.
And the minimization requirements require that incidentally collected US person data must not be circulated improperly and must be destroyed.
(h) “Minimization procedures”, with respect to electronic surveillance, means—
(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;
(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;
(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and
(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.
In short, they were preparing to do a report on whether they were complying with requirements that:
- No US person data be collected intentionally
- The amount of US person data incidentally collected must be minimized
- Incidentally collected US person data cannot be disseminated (though there’s a giant loophole for "foreign intelligence information")
- Unless they have a court order, US person data must be destroyed within 72 hours
In preparing this report, NSA determined it was out of compliance.
Two things Russ Feingold has said suggest that the loopholes in the dissemination of "foreign intelligence information" and for retaining US person data may have been exploited. First, in his statement today, Feingold said,
In addition, the administration should declassify certain aspects of how these authorities have been used so that the American people can better understand their scope and impact.
And, during David Kris’ confirmation hearing on February 25 (at which point Holder would presumably have already delayed the report), Feingold and Kris had this exchange:
SEN. FEINGOLD: We had an opportunity — and you can respond in a minute — but we had an opportunity earlier today to discuss in a classified setting specific concerns I have about how the FISA amendment act has been implemented. Without discussing those specifics in an open hearing, do you agree that there are serious problems that need to be corrected?
MR. KRIS: Senator, I do, I appreciate very much the meeting we had this morning, you raised a number of concerns that I as an outsider had not appreciated and you certainly got my attention. I have been thinking about it since we met and if it’s even possible you increased my desire to, if I were to be confirmed, to get to the bottom of the FISA amendments act and I hope if I am confirmed that I can take advantage of your learning of others on the committee and the intelligence committee to see how best to make any necessary improvements.
In other words, at around the same time as Holder was scrambling to fix this problem, Feingold was surprising David Kris–who at the time had probably the best understanding of what the illegal program was and current program is of anyone not yet read into the program–with details on how it had been used.
All of which suggests that NSA was already using all the loopholes at its disposal (I’ll explain later why I’m all but certain, for example, that they have been keeping US person data for more than 72 hours with the approval of FISC). But even still, they were out of compliance.
That either means they were intentionally unintentionally collecting US person data.
Or they were disseminating incidentally collected US person data.
Given that data mining is part of this program, I’m guessing it means they’re still data mining US person data, whether or not that US person data has any ties to terrorism or foreign intelligence.
Who in the hell wrote these regulations? The weasel words, as you point out, enable NSA to do what it wants when and where it wants, and keep the communications as long as it wants, because there are no consequences. Expecting the Intelligence Committees to do their job is hopeless. DiFink is nothing more than Jello J in drag.
EW,
Thanks for your continued digging into these matters.
It strikes me that the general approach here ignores the difference between abstract policy, and technological realities. For example, I believe that the abstract policy enunciated by the law does not realistically take into account technological realities.
Let us assume for the moment (and I suspect this is true) that the basic technique involved in modern wiretapping, as it has been practiced for the past 8 years, involves “hoovering,” as you put it– i.e., vacuuming up everything– all communications of every kind– that pass through a given communications node during a specified period. The present law does not consider this possibility, and instead assumes an older surveillance model that presupposes specific communications carried by specific links. Modern technology with fiber optic cables, etc. can carry a vast river of communications that are sorted out at the end points. But in the middle all you get are millions of “packets” of information. Any particular email, for example, is transmitted not as a unit but as a series of packets– message segments. If you intercept this vast river, you get the proverbial haystack in which you may find needles.
You’ve heard all this before, but what I want to emphasize here is a lack of fit between the way the laws are written and the way the technology now works. In fact, I wonder if this is not the real issue holding up Judge Walker in his decisions.
Bob in HI
Almost makes me wonder if somebody got pissed and forced certain issues, like the timing of the article after too much foot dragging…so pissed that they nipped some network to make a point?
Keep in mind there are two allegations in the NYT article, both of which must be explained wrt timing.
First, there’s the IG revelations about the Congressman, etc. That sounds like a leak made after a criminal referral didn’t get immediately considered, but that’s a total wildarsed guess. Also, keep in mind that by law should become public in three months.
Then there’s the stuff they found leading up to the review. NYT’s sources are largely intell officers (and Risen gets a byline here too). But note that four congressional committees are supposed to have been briefed on this report, which is a whole lot of people to know about something.
Feingold–speaking as he was to Kris on February 25 may or may not have gotten that briefing as of yet.
Another item worth keeping in mind IMO is that with respect to the certifications, starting with the first one, what happens under the FAA is that it goes to the FISCt for review. That’s 702(i).
At that point, the FISCt got a chance to look at what was being offered up as targeting and minimization procedures under 702(d) and (e). At that point, if the court thought there were “deficiencies” which could be deficiencies under the statute OR deficiencies under the Fourth Amendment, the court could require by order corrections of those deficiencies. So when the second review came up, a part of a review of compliance with minimization and targeting procedures “allowed” as being “under the act” would include any corrections of deficiencies addressed by court order from the first certification.
Going to the story, and the reference both to law and orders, and the allegation that “N.S.A. was improperly capturing information involving significant amounts of American traffic” you have to wonder why they say “improperly” rather than the “accidentally” “inadvertently” and “unintentionally” that they use in other sections. That makes me wonder if a part of what happened is that the FISCt orders were blown off – bc that has already happened. Or that orders relating to post collection use were blown off, as well as possible statutory issues.
My favorite revelation so far? Oh my God! NSA was contemplating a Congressman. Hey, Congressman, last time I checked, you weren’t doing a damned thing to make sure our Bill of Rights was enforced…so do I feel one ounce of shock or empathy on your behalf? No, I don’t. My guess? It was Obama they were going to tap into…and that’s the only reason we’re even hearing about it at this point. How about some shock that anyone was illegally tapped? Where’s the prosecutions? Where are the consequences for breaking the law? Oh, yeah, I forgot…”I was just following orders” is the new law in our so-called democracy…