While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

On Tuesday, the Senate Judiciary Committee had a public hearing on FISA Amendments Act reauthorization, which will take place in the next year. The hearing was treated as solely the reauthorization of Section 702 of FAA. But in fact, all of Title VII needs to be reauthorized. Which is why I think Congress should reform Section 704 — or at the very least, as a whole lot more question about how it (and by association EO 12333) is used against Americans.

As a reminder, here are the parts of Title VII authorizing collection (there are also some transparency provisions):

  • 702: Permits the government to target non-US persons located overseas based on only a FISA review of broad certifications; includes PRISM and upstream
  • 703: Requires NSA to obtain an individualized order when targeting electronic communications of US persons overseas; this is basically for collection on US persons overseas with the assistance of providers in the US
  • 704: Requires NSA to obtain an individualized order when targeting US persons overseas using means for which they’d have a reasonable expectation of privacy in the US; this is basically for spying on US persons overseas collecting overseas
  • 705a: Permits the government to apply for joint applications, effectively permitting them to do both 703 and 704 authorized spying
  • 705b: Permits the Attorney General to approve spying for US persons targeted under traditional FISA when they are located overseas

My interest in Section 704 stems from a fact that no one appears to know: NSA doesn’t use Section 703 of FAA. At all.

There’s a still-unreleased Snowden document that states that explicitly (something to the effect of, “to date [which date was probably 2012], the NSA has not used this authority”). But even some public documents make this clear. For example, the Q1 2012 Intelligence Oversight Board report, which broke out reporting for all FISA authorities used (the hidden authority is probably Title IV), lists only 704 and 705b, not 703 or 705a. More starkly, a 2010 NSA IG Report (PDF 10) discussing FISA authorities only names traditional FISA, Section 704, and Section 705b, which may mean 705a is not used either.

Screen Shot 2016-05-13 at 3.38.08 AM

I’ve been asking what this means since I first figured this out (so for two years) and not a single person has been able to explain it to me. To be fair, most simply don’t believe me that Section 703 is not used and so just blow off my question.

I think this means one (or a combination) of several things:

  • No surveillance of Americans overseas takes place with the assistance of US providers (which would trigger 703)
  • The government has some interpretation — perhaps a corollary to their claim that Americans have no expectation of privacy for any international communications — that claims they can use a lower standard for people overseas
  • The government uses traditional FISA even on people located overseas

I used to think it was this last one: that the government just went through the trouble of getting a traditional order every time it targeted a US person, meaning they’d also give the person full FISA notice if that person were prosecuted. Except I think using a traditional order to target an American overseas is actually a violation (!) that gets reported to IOB.

If it’s not that, then you would think it’d have to be the wacky interpretation, the middle option. After all, Americans are at least as likely to use Gmail as foreigners are, so to get the Gmail of Americans overseas, the NSA would presumably ask Google for assistance, and therefore trigger 703, unless there were a wacky legal interpretation to bypass that. There are things that make it clear NSA has a great deal of redundancy in its collection, even with PRISM collection, which makes it clear they do double dip, obtaining even Gmail overseas and domestically (which is why they’d have GCHQ hack Google’s overseas fiber). It’s possible, though, that the NSA conducts so much bulk collection overseas it is actually easier (or legally more permissive) to just collect US person content from bulk collections obtained overseas, thereby bypassing any domestic provider and onerous legal notice. I suppose it’s also possible that NSA now uses 703 (my proof they don’t dates to 2012 or earlier), having had to resort to playing by the rules as more providers lock up their data better in the wake of the Snowden revelations. (Note, Mieke Eoyang has an interesting FAA suggestion that would require exclusivity when NSA accesses content from US providers, thereby preventing them from stealing Google data overseas.)

My first point, then, in raising 704 is to say Congress and advocates should use this opportunity to figure out which of these options it is. Why is it that members of Congress still brag about having got NSA to accede to 703 when 703 is not used? What does it mean that they’re not using it?

But here’s my other concern. If the first option is the answer — that is, if overseas collection is so thorough that NSA can collect on someone, if there are reasons to, without using any provider, it means there’s a shit-ton of American content — both of people located in the US and overseas — accessible in NSA’s collections. We knew that. But it’d say even US provider content is available in great volume (which would be doable for any of them not using encryption in motion).

My other concern is that Americans overseas may actually have more protections than Americans in the US.

FISA is pretty strict about location: the 700s only apply to people overseas, except for 705b, which is supposed to be tied to someone mostly in the US but heading to China on a business trip. Screwing that up is a violation that gets reported to the IOB.

Add to that the fact that (as I understand it) NSA can access already-collected US person content collected under EO 12333 with the approval of the Attorney General.

If I’m right about all this (a big if, given how little anyone knows about this), then it would say accessing the bulk collected communications of an American overseas would require a 704 order, whereas accessing the bulk collected communications of an American who was herself located in the US, but whose communications were located overseas, would only require AG approval. That can’t be right, can it? Perhaps 704 gives the government some added authorities, such as the ability to target someone using XKeyscore. But we know NSA has collected “vast troves” of US person data overseas, and we know that Assistant Attorney General John Carlin doesn’t think his department should oversee that collection at all! Carlin stated clearly in February 2014 that even “vast troves” of US person data collected “incidentally” (which, under bulk collection, would mean all of it transiting overseas) get no FISA protection.

So in addition to politely requesting that Congress figures out how it is that NSA doesn’t use Section 703, at all, I’d also like to politely suggest that 704 protections or the equivalent be extended to Americans who are located in the US but whose communications have gone to Europe without them.

There has been a lot of discussion about how the NSA accesses the content of US persons who are themselves located in the US but whose communications get collected “overseas.” That has been treated as an EO 12333 issue (and as such, something that would take pulling teeth to get the Executive to agree to change). But there’s a mirror image of that problem, I think, in the Section 704 question. So perhaps shoring up Section 704 is the way to deal with both?

image_print
6 replies
  1. martin says:

    emptywheel:
    “So in addition to politely requesting that Congress figures out how it is that NSA doesn’t use Section 703, at all, I’d also like to politely suggest that 704 protections or the equivalent be extended to Americans who are located in the US but whose communications have gone to Europe without them.”
    Congress:
    “We’re sorry, but you have mistaken this institution for one that listens to We The People. So..no.”

  2. martin says:

    ps.. In other words..Congress doesn’t give a flying fuck what you, or any other
    citizen in this cuntry thinks.

    • Ol' Hippy says:

      I think that just about sums it up. When is the last time the citizenry was even listened to? Democracy has been dead for a while in the US, most folks just haven’t realized it yet, if ever. They’re going to do what they’re going to do regardless.

  3. SpaceLifeForm says:

    704 is the loophole (literally) for 703.
    You just install fibre splitters and/or backdoor routers
    and route the traffic out of US and back.
    Seriously. Been happening since y2k.

  4. Ian says:

    Emptywheel(Marcy) says:
    But we know NSA has collected “vast troves” of US person data overseas, and we know that Assistant Attorney General John Carlin doesn’t think his department should oversee that collection at all! Carlin stated clearly in February 2014 that even “vast troves” of US person data collected “incidentally” (which, under bulk collection, would mean all of it transiting overseas) get no FISA protection.
    So in addition to politely requesting that Congress figures out how it is that NSA doesn’t use Section 703, at all, I’d also like to politely suggest that 704 protections or the equivalent be extended to Americans who are located in the US but whose communications have gone to Europe without them.

    I SAY:
    Marcy I’m getting a bit confused here. I looked up the original Guardian article of 21 June 2013 with its headline of:
    .
    GCHQ taps fibre-optic cables for secret access to world’s communications
    .
    Exclusive: British spy agency collects and stores vast quantities of global email messages, Facebook posts, internet histories and calls, and shares them with NSA, latest documents from Edward Snowden reveal
    .
    The article goes on to detail how [Britain’s] GCHQ had performed the technologically brilliant task of inserting “intercept probes” [presumably attached to the “optical regenerators” [called “repeaters” in an analog electrical telephone/coaxial/submarine telegraph cable] ] from [what later reports suggested would be ] at least 3 locations [Cornwall, Gibraltar, a 3rd site thought to be either Cyprus [says Reuters] or Oman [at the Straits of Hormuz, entrance to the Persian Gulf] and, consistently since the 1970’s ,the British press has entertained rumors that the island of Diego Garcia holds far more secrets than just being a pre-positioning site for a the heavy weight equipment for a USMC Expeditionary Unit [prompted by at least one (1) Court-Martial of a Royal Navy seaman describing life at a “Joint RN/USN wireless intercept station” on Diego Garcia].
    .
    Citing Mr Snowden’s documents dated 2012 the other claims included:
    FOR GCHQ:
    “…..The sheer scale of the agency’s [i.e. GCHQ’s] ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. ——For the 2 billion users of the world wide web, Tempora represents a window on to their everyday lives, sucking up every form of communication from the fibre-optic cables that ring the world.”
    ,and:
    “By 2010, two years after the project [i.e GCHQ Tempora] was first trialled, it was able to boast it had the “biggest internet access” of any member of the Five Eyes electronic eavesdropping alliance, comprising the US, UK, Canada, Australia and New Zealand.–UK officials could also claim GCHQ “produces larger amounts of metadata than NSA”. (Metadata describes basic information on who has been contacting whom, without detailing the content.)——–By May last year [i.e. May 2012] 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data.———The documents reveal that by last year [i.e.2012] GCHQ was handling 600m “telephone events” each day, had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time”.—-[with later reports suggesting that the necessary infrastructure was in place by Christmas 2012 to store data from all 200+ cable connections]—- ——-The processing centres apply a series of sophisticated computer programmes in order to filter the material through what is known as MVR – massive volume reduction. The first filter immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads, which reduces the volume by about 30%. Others pull out packets of information relating to “selectors” – search terms including subjects, phone numbers and email addresses of interest.—-Some 40,000 of these were chosen by GCHQ and 31,000 by the NSA. Most of the information extracted is “content”, such as recordings of phone calls or the substance of email messages. The rest is metadata.”
    .

    .FOR THE [USA’s ] NSA:
    The NSA has meanwhile opened a second window, in the form of the Prism operation, revealed earlier this month by the Guardian, from which it secured access to the internal systems of global companies that service the internet.
    .
    HERE IS WHERE I AM GETTING CONFUSED:
    In my ignorance, & knowing the history of the British Empires original submarine cable global network [from 1860-1990’ s], the world’s mobile/cellular standards [the GSM standards] are a British-French invented standard of the 1986-1991 era, Vodaphone plc continues to be the world’s largest [non-Chinese] mobile/cellphone network provider by several measures—-I had ASSUMED that —IN LAW/legally [Britain’s] GCHQ was doing the Collection of “a vast trove of US persons communications” along with a vast number of other countries Nationals.
    .
    I had ALSO ASSUMED that such information London/Cheltenham had gathered would be made available to Washington based upon the [US] Executive Branch’s ability to organize “Secret Information from Foreigners & Foreigner’s Governments”.
    .
    Am I confusing myself? Would the Congress by changing Section 704 be claiming that they can organize [Britain’s] GCHQ—or is it the selection of “31,000 [selectors] by the NSA” [referred to earlier] that the Congress is organizing in [US] law?

    • Ian says:

      ONE FINAL THOUGHT:
      In the original Guardian article of of 21 June 2013 with its headline of:
      .
      GCHQ taps fibre-optic cables for secret access to world’s communications

      There is the following quote:
      .
      “…..By May last year 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data.—–The Americans were given guidelines for its use, but were told in legal briefings by GCHQ lawyers: “We have a light oversight regime compared with the US”.—-When it came to judging THE NECESSITY & PROPORTIONALITY [my emphasis] of what they were allowed to look for, would-be American users were told it was “your call”…………”
      .
      At the time I had interpreted that as an instruction to NSA employees that the information they were accessing was given to them UNDER BRITISH PRIVACY LAW CONSTRAINTS where the “necessity & proportionality” of ANY measure throughout British life is a fundamental constraint—you can neither gather/collect “excessive” information-seeking “just for the sake of it” nor can you seek information “that is only tenuously connected to what you are authorized to do” [similar to the USA’s 2-hops or 3-hops searching that was much debated here at http://www.emptywheel.net in years past]
      .
      Again if Cheltenham/London had concluded an agreement with Washington that the Tempora program information was:
      i) made available on British soil, perhaps—we still don’t know where “250 NSA analysts” are based [UK or US or ????]
      ii) or made available to the [US] Executive Branch “with British law applying at the insistence of London”
      would the Congress insist on its right to re-organize section 704 etc etc?

      .

      .

Comments are closed.