Surveillance Reform Can No Longer Ignore EO 12333
Yesterday, a bunch of civil liberties groups issued a letter calling for FISA 702 reform as part of the Section 215 reauthorization this year. I agree that the reauthorization this year should address the problems with 702 that weren’t addressed last year, though even on FISA, the letter doesn’t go far enough. DOJ IG will soon issue a report partly addressing the Carter Page FISA application, and that will provide an opportunity to push to make reforms to traditional (individual) FISA, such as making it clear that some defendants must get to review the underlying affidavit. Similarly, it doesn’t make sense reforming Section 215’s subpoena function without, at the same time, reforming the subpoena authority that DEA uses for a similar dragnet that undergoes far less oversight, particularly given that Bill Barr is the guy who first authorized that DEA dragnet in his first go-around as authoritarian Attorney General.
But it’s also the case that the surveillance community could — and arguably has an opportunity to — address EO 12333 as well.
The Executive branch has been exploiting the tension between EO 12333 (foreign surveillance that, because it is “foreign,” is conducted under the exclusive authority of Article II) and FISA (“domestic” surveillance overseen by the FISA court) since Dick Cheney launched Stellar Wind on bogus claims the collection on foreign targets in the US amounted to “foreign” surveillance. From 2004 to 2008, Congress moved parts of that under FISA. But at several points since, the government has reacted to FISA restrictions by moving their surveillance under EO 12333, most notably when it moved much of its collection of Internet metadata under EO 12333 in 2012.
Unfortunately, most of the surveillance community and reporters covering such issues have been woefully unaware of even the limited public disclosures on EO 12333 surveillance (which for a time was branded as SPCMA). That made activism around Section 215 far less effective, as few people understood that Section 215 data was and remains just a small part of a larger, duplicative dragnet, and a lot of the claims made about the need for USA Freedom Act didn’t account for precisely what role the Section 215 dragnet played in the larger whole.
As one of its last acts, the Obama Administration institutionalized EO 12333 sharing across intelligence agencies, formalizing what Dick Cheney had been aiming for all along, just before Donald Trump took over. At least as soon as that happened, the FBI (and other agencies, including but not limited to CIA) obtained a source of content that paralleled (and like the metadata dragnet, surely is significantly duplicative with) Section 702 collection.
That means the Section 702 opinion released last week discusses querying methods that may also be applied, in the same systems, to EO 12333 data. Indeed, one aspect of the querying procedures FBI finally adopted — that queries limited “such that it cannot retrieve unminimized section 702-acquired information” — is the kind of setting that NSA used to re-run queries that returned FISA information so as to return, instead, only EO 12333 data that could be shared under different rules with less oversight. Furthermore, the regime set up under EO 12333, which already includes squishy language about queries “for the purpose of targeting” a US person (suggesting other purposes are permissible), has the same kind of internal approval process that the government wanted to adopt with 702.
If FBI is querying both 702 and EO 12333 raw content in the same queries, it means the standards laid out by James Boasberg in his opinion should apply. Notably, Boasberg wrote at some length about what constituted “reasonable” procedures to govern querying, and under a balancing analysis, found that the procedures in place did not comply with the Fourth Amendment.
Whether the balance of interests ultimately tips in favor of finding the procedures to be inconsistent with the Fourth Amendment is a close question. Reasonableness under the Fourth Amendment does not require perfection. See In Re Directives, 551 F.3d at J 015 (“the fact that there is some potential for error is not a sufficient reason to invalidate” surveillances as unreasonable under the Fourth Amendment). Nonetheless, if “the protections that are in place for individual privacy interests are … insufficient to alleviate the risks of government error and abuse, the scales will tip toward a finding of unconstitutionality.” kl at 1012. Here, there are demonstrated risks of serious error and abuse, and the Court has found the government’s procedures do not sufficiently guard against that risk, for reasons explained above in the discussion of statutory minimization requirements.
By contrast, under the EO 12333 procedures, the only reasonableness review takes place when NSA decides whether to share its SIGINT, which doesn’t include risk of error and abuse.
Reasonableness. Whether approving the request is reasonable in light of all the circumstances known at the time of the evaluation of the request, including but not limited to:
[snip]
e. (U) The likelihood that sensitive U.S. person information (USPI) will be found in the information and, if known, the amount of such information;
f. (U) The potential for substantial harm, embarrassment, inconvenience, or unfairness to U.S. persons if the USPI is improperly used or disclosed;
And that’s with the additional minimization procedures under 702 that are stronger than the dissemination rules under the EO 12333 rules.
There are limits to this. Boasberg based his Fourth Amendment review in statutory considerations, statute that doesn’t yet exist with 12333. He did not determine that the act of querying, by itself, warranted Fourth Amendment protection (though the amici pushed him to do so).
But that shouldn’t stop Congress from requiring that FBI adhere to the same practices of querying with EO 12333 collected data as it does with Section 702 collected data, which would in turn limit the value, to FBI, of engaging in surveillance arbitrage by doing things under EO 12333 that it couldn’t do under 702.
We know NSA swept up data between foreign servers of Google and Yahoo under EO12333 as a way to get around restrictions on collecting data on US persons under FISA, what’s to keep them from using “traffic shaping” via manipulating BGP and/or DNS to route domestic communications through overseas routers and collecting it as “foreign” communication, and then sharing with ‘domestic’ agencies?
Found the paper/report:
Sharon Goldberg, “Surveillance without Borders: The ‘Traffic Shaping’ Loophole and Why It Matters”
https://tcf.org/content/report/surveillance-without-borders-the-traffic-shaping-loophole-and-why-it-matters/
I have always felt that surveillance issues seem to be too complicated for the average reader. Eyes seem to glaze over with the numbered citations and talk of metadata compounded by query limitations, or lack thereof. What we need is some decent trial lawyers to come up with an easily digested analogy. By that I mean, lawyers who are smarter than I am.
Skilly! Have not seen you in a while. You have been missed.
As you likely know, it is not the trial lawyers that know that technical stuff, it is the expert witnesses they hire, whether for background, or actual trial testimony (and often those are two very different sets).
BMAZ,
Thanks for the warm regards. I am always lurking don’t you know. The great trial lawyers take all that expert witness testimony and turn it into a story that is linear and didactic. Usually the trial lawyers do not understand the evidence much better than the jurors but they know the power of a good story. The analogy supports the story. When I speak of these legal issues to my family at thanksgiving, I lose the audience the moment I mention EO12333. I have often mulled what might be a reasonable analogy to keep them rapt to the issues of privacy being trampled.
Yes, indeed. It is totally the story, and how you can fit the experts into it. That is why I mentioned that sometimes you have two sets of them.
And I have not found the good framing to get my extended family on to any of this either. Though one of them actually works in the business, so he is never a doubter. He knows what they do. Others, not so much.