April 29, 2021 / by emptywheel

 

The Rickety 702 System: Why It Continues to Fail

Back in 2009, I showed how a heavily redacted opinion rejecting what we now know to be a Yahoo challenge to the Protect America Act found that the predecessor to FISA 702 was constitutional because of the minimization procedures implementing certificates implementing the surveillance program. We learned seven years later that Yahoo hadn’t been provided those minimization procedures as part of their challenge, and indeed, DOJ withheld a key document from Reggie Walton, who presided over the challenge, until after he made key decisions in the case. That was also the first year the government finally presented details about the intended use of what had become 702 to FISC, most importantly that FBI was getting raw data they would encourage Agents to query, even at the assessment level. But even two years later, FISC was still just pushing FBI to follow rules imposed requiring them to track their queries of the raw 702 data. Two years later, after being presented with evidence that FBI still hasn’t complied with the law as currently written, outgoing presiding judge James Boasberg nevertheless reauthorized the program.

In general, Boasberg’s opinion reauthorizing 702 from last November describes violations pertaining to FBI access of 702 data for queries that have both a national security and criminal investigative function, FBI’s improper use of batch queries, and real problems with protections for attorney-client communications at NSA that could really blow up in the IC’s face one of these days, all problems FISC has been reviewing for years. The opinion also describes how training and COVID has delayed what will be an inevitable accounting for the fact that one key purpose of 702 when it was started — to select a fraction of all the intelligence NSA examines and put it into FBI coffers to make it available for querying — is a poor fit with the current law.

To understand one reason why this never gets better, I wanted to look at the structure of this and all other reauthorization opinions, because it never fixes some of the problems built in from the start.

The 702 opinions, like traditional FISA approvals, are all driven by the statute, ticking one after another required element off. If everything gets ticked, in order, then hundreds of thousands of people remain targeted for surveillance, along with all the people they communicate with.

Memorandum opinion and order

The opinion starts with introductory mapping. Even at that point, Boasberg describes this reauthorization as a “status-quo” reauthorization, meaning the request certificates from the government have remained largely the same and so don’t present any new issues to reconsider.

I. Government’s Submission

A. 2020 Certifications and Amendments: The opinion starts by laying out what gets included in the package, which basically includes the certificates, along with the targeting (NSA and FBI), querying (NSA, FBI, CIA, and NCTC), and minimization (NSA, FBI, CIA, and NCTC) procedures that implement the certificates.

B. Subject Matter of the Certification: This section describes, in heavily redacted fashion, what the certificates do and the rules and intent for all of them. Last we knew, there were three certifications: one targeting terrorists, one targeting proliferation, and one targeting “foreign governments,” focusing not just on other country’s spying, but also (to the extent it is a separate entity) their hacking. This section also notes, importantly, that these certificates renew prior authorizations; every year, FISC approves the new rules to apply to any new collections but also all the stuff already in the government’s possession. This is important, because analysts will continue to query (governed by one set of procedures) and report out (governed by minimization procedures) communications obtained in year’s past. Thus, every new approval covers all the stuff that came before (which also means the judges largely rely on their earlier decisions).

II. Review of the 2020 Certifications and Prior Certifications

One of the first things FISC does in these opinions is review the changes from past certifications, usually coming to the conclusion that, “we’ve approved these certifications going back 12 years, so we’ll just approve them again.” And some of this, as Boasberg admits in this opinion, is a matter of “check[ing]” procedural boxes — do the applications have the things required of them.

III. Targeting Procedures

Then each set of procedures is approved in isolation. First, the judge reviews whether targeting procedures fulfill the requirement that targeting procedures are “reasonably designed” to ensure that targets are outside the US and the procedures do not intentionally target communications entirely made up of US persons. For years, this has focused on making sure that if NSA or FBI get it wrong and target someone who’s in the US or is a US person, they detask the target quickly.

IV. Minimization and Querying Procedures

Then, the judge reviews whether the minimization procedures limit the dissemination of non-public US person data, allowing for its use for a foreign intelligence purpose and the sharing of evidence of a crime. Most opinions come with some language like this (from last year’s opinion) rationalizing — even though NSA and FBI have always refused to provide the data to test this assumption — that this content will be less impactful than traditional FISA collection.

In applying these statutory requirements, the Court is mindful that Section 702 acquisitions target persons reasonably believed to be non-U.S. persons outside the United States. Although such targets may communicate with or about U.S. persons, Section 702 acquisitions, as a general matter, are less likely to acquire information about U.S. persons that is unrelated to the foreign-intelligence purpose of the acquisition than, for example, electronic surveillance or physical search of a home or workplace within the United States that a target shares with U.S. persons.

Remember, unlike traditional FISA, there’s no individualized review of the foreign intelligence claims of these targets. So yeah, someone in Iran may have less contact with Americans, but the claims about that person require a far lower burden of foreign intelligence interest.

In last year’s opinion, Boasberg noted that the minimization (limits on dissemination) and querying (limits on searching the files) work together and analyzed them together. Nevertheless, with some more box-checking (for example, on whether each agency requires a record of queries made), Boasberg then concludes that since not much has changed, he can approve both the minimization and querying procedures.

Nothing detracts from the Court’s earlier findings [in past years] that these procedures as written are statutorily and constitutionally sufficient.

Remember: the FBI queries are the area where 702 has been particularly controversial of late, but the analysis of their application does not come here, in the section that approves them.

There is a discussion of attorney-client communications in here, particularly with regards to NSA’s use of attorney-client communications. But even after observing that,

The government does little by way of justifying the differing treatment of privileged communications by NSA,

Boasberg nevertheless relies on past approval for this same application to approve last year’s certificates.

[T]he Court has previously approved the dissemination provisions in the NSA procedures highlighted above, which unambiguously contemplate the dissemination of attorney-client privileged communications of the types being discussed here [redacted] subject to certain limitations and requirements.

[snip]

The Court again concludes that NSA’s procedures, as a whole and applied to it, an agency with no law-enforcement mission or authority, are reasonably designed to protect the substantial privacy interests in attorney-client communications, consistent with the need to exploit those communications for legitimate foreign-intelligence purposes.

Boasberg does “admonish[]” NSA to make sure none of this dissemination ends up in an FBI report. But having expressed concerns about how NSA exploits attorney-client communications, he nevertheless approves its use for foreign intelligence purposes.

V. Fourth Amendment Requirements

Then, in totally separate analysis, Boasberg (like judges before him) assesses whether all those procedures he just reviewed “are consistent with the Fourth Amendment.” This review, like all the ones since 2008, has relied on procedures to find that the program as a whole complies with the Fourth Amendment.

It does so by finding that the Targeting Procedures limit the collection to people not protected by the Fourth Amendment, and the interests of those swept up in that collection can be protected with Minimization and Querying Procedures.

For reasons explained above, the Court has found that the proposed targeting procedures, as written, are reasonably designed to limit acquisitions to those targets reasonably believed to be non-Untied States persons located outside the United States. The Fourth Amendment does not protect the privacy interests of such individuals. [citation omitted]

To the extent U.S.-person information is acquired under Section 702 — e.g., when a communication between a U.S. person and a Section 702 target is intercepted — the government can reduce the intrusiveness of the acquisition for Fourth Amendment purposes by restricting use or disclosure of such information.

After language about the import of national security interests, Boasberg then concludes that, “those procedures, as written, are consistent with the requirements of the Fourth Amendment.”

VI. Implementation and Compliance Issues

It’s only after ruling everything meets the legal requirements — all the boxes are checked — that Boasberg (and this opinion is in no way unique on the structure — turns to a list of compliance issues. Yes, this analysis feigns to be part of reviewing “how [the procedures] are implemented.” But Boasberg has already found the procedures, in the abstract, sufficient to comply with the Fourth Amendment.

As part of his analysis, Boasberg offers the following excuses for the FBI:

  • It took time for them to make the changes in their systems
  • It took time to train everyone
  • Once everyone got trained they all got sent home for COVID
  • Given mandatory training, personnel “should be aware” of the requirements, even if actual practice demonstrates they’re not
  • FBI doesn’t do that many field reviews
  • Evidence of violations is not sufficient evidence to find that the program inadequately protects privacy
  • The opt-out system for FISA material — which is very similar to one governing the phone and Internet dragnet at NSA until 2011 that also failed to do its job — failed to do its job
  • The FBI has always provided national security justifications for a series of violations involving their tracking system where an Agent didn’t originally claim one
  • Bulk queries have operated like that since November 2019
  • He’s concerned but will require more reporting

At the end of this section, Boasberg issued a 5-bullet conclusion that the certifications check all the boxes, the 2020 certifications comply with FISA and the Fourth Amendment, the minimization procedures (incorporating therein the querying procedures) mean access to prior collections complies with FISA and the Fourth Amendment, and one querying procedure is approved for the 2020 collection.

By conducting first an abstract analysis and only then an analysis of what that has meant in past practice, and where real concerns remain to require ongoing reporting, Boasberg “gets to yes” (as Brennan’s Liza Goitein aptly wrote). Boasberg repeatedly said he didn’t have evidence to assess whether this really works to meet the requirements, but nevertheless signed the reauthorization.

Reporting requirements

Boasberg doesn’t provide a heading for his reporting requirements. But as part of his order approving the certifications, he lays out all the reports that he and past judges have required to make up for the fact that there’s no evidence these protections work. There are 11 old ones and two new ones.

Two years ago, as part of the most rigorous amicus intervention known to date, the amici recommended that Boasberg consider the querying at the heart of the FBI’s use of 702 as its own Fourth Amendment consideration. Even though Boasberg refused, FBI still threw a fit and appealed his demand that they comply with the law as written. And this opinion, as noted, still lumps the abstract analysis of compliance of minimization procedures and querying in together.

Yet the document itself, by separating the box-checking from the concepts the box-checking is supposed to fulfill, and separating both of those from the program as implemented, and even still authorizing a program while deferring the obvious proof of compliance by simply asking for 13 different reports, often of non-compliance, doesn’t actually do what it is supposed to do.

Unless what it is supposed to do is give the patina of legal review while instead turning judges into a bureaucratic functionary who can, once a year, offer some compliance suggestions that may not be implemented.

Copyright © 2021 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2021/04/29/the-rickety-702-system-why-it-continues-to-fail/