Section 309: A Band-Aid for a Gaping Wound in Democracy
On Friday, officials from James Clapper’s office confirmed in a number of different ways that the government obtains “vast troves” of Americans’ communication overseas. And rather than enforce Dianne Feinstein and Mark Udall’s suggestion that the intelligence community treat it under FISA — as the spirit of FISA Amendment Acts, which extended protection to Americans abroad, would support — Congress instead passed Section 309, a measure to impose limited protections on vast unregulated spying on Americans.
This all happened at CATO’s conference on surveillance, an awesome conference set up by Julian Sanchez.
My panel (moderated very superbly by Charlie Savage) revisited at length the debate between former State Department whistleblower John Napier Tye and Director of National Intelligence Civil Liberties Officer Alex Joel (into which I stuck my nose). As he did in his Politico post responding to Tye’s alarms about the risk of EO 123333 collection against Americans to democracy, Joel pointed to the topical limits on bulk collection Obama imposed in his Presidential Policy Directive 28, which read,
The United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats. Routine communications and communications of national security interest increasingly transit the same networks, however, and the collection of signals intelligence in bulk may consequently result in the collection of information about persons whose activities are not of foreign intelligence or counterintelligence value. The United States will therefore impose new limits on its use of signals intelligence collected in bulk. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.
In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.
I noted — as I did in my Salon piece on the topic — that bulk collection for even just one topic means the collection of everything, as counterterrorism serves as the excuse to get all phone records in the US in the phone dragnet. Joel did not dispute that, explaining that PPD-28 only limits the use of data that has been bulk collected to these six purposes. PPD-28 does nothing to limit bulk collection itself. Though the fact that these limitations have forced a change in how the NSA operates is testament that they were using data collected in bulk for even more reasons before January.
The NSA is, then, aspiring to collect it all, around the world.
Which was a point confirmed in an exchange between Joel and Tye. Joel claimed we weren’t collecting nearly all of the Internet traffic out there, saying it was just a small fraction. Tye said that was disingenuous, because 80% of Internet traffic is actually things like Netflix. Tye stated that the NSA does collect a significant percentage of the remainder (he implied most, but I’d want to see the video before I characterize how strongly he said that).
Again, collect it all.
Our panel didn’t get around to talking about Section 309 of the Intelligence Authorization, which I examined here. The Section imposes a 5 year retention limit on US person data except for a number of familiar purposes — foreign intelligence, evidence of a crime, encryption, all foreign participants, tech assurance or compliance, or an Agency head says he needs to retain it longer (which requires notice to Congress). Justin Amash had argued, in an unsuccessful attempt to defeat the provision, that the measure provides affirmative basis for sharing US person content collected under EO 12333.
In a later panel at the CATO conference, DNI General Counsel Bob Litt said that the measure doesn’t change anything about what the IC is already doing. Read more →