I was going to leave this post, in which Ben Wittes complains that WaPo published details of NSA’s collection of millions of contact lists, which he didn’t find at all newsworthy, well enough alone.
Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already.
So what does this story reveal that we didn’t already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can’t quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.
But his response to this post from Conor Freidersdorf convinced me to do a post. He’s written about 40 tweets in response, asserting things like, “there is no good argument that this sort of activity is illegal under current law.” In all that tweeting, he did not, however, respond to what I thought was a pretty decent argument this sort of activity might be illegal under current law.
Two years ago, then FISA Court Judge John Bates considered the legality of content collected off US switches. He found the practice, as had been conducted for over 3 years, violated both Section 702 of FISA Amendments Act and the Fourth Amendment because it intentionally collected US person data (NSA’s apologists usually obscure this last point, but Bates’ opinion was quite clear that this was intentional collection). To make the collection “reasonable” under a special needs exception, he required NSA to follow more stringent minimization procedures than already required under Section 702, effectively labeling some of the data and prohibiting the NSA from using US person data except in limited circumstances.
That collection differs from the contact list collection revealed by the WaPo in several ways:
The contact lists are collected overseas
WaPo’s sources are quite clear: this collection would be illegal in the US. They get around that restriction by collecting the data overseas.
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”
It’s not clear whether the contact list counts as metadata or content
The collection reviewed by Bates was clearly content: Internet messages collected because a selector appeared in the body of the message. With the contact lists, I could see the government claiming it was just metadata, and therefore (incorrectly, in my opinion but not in current law) subject to a much lower standard of protection. Except (as noted) WaPo’s sources admit this would be illegal if collected in the US, probably because NSA is collecting content as well.
Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts.
[snip]
Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. Inbox listings of e-mail accounts stored in the “cloud” sometimes contain content, such as the first few lines of a message.
This data is subjected to a much lower standard of minimization than that imposed by Bates
In his flurry of tweets, Ben keeps repeating that the US person contact lists collected under this program are protected by minimization, so it’s all good. But minimization for Executive Order 12333 collection is not as rigorous as minimization under Section 702, and certainly doesn’t include the special handling that Bates required to make the Section 702 upstream collection compliant with the Fourth Amendment. So even for those who believe minimization on bulk collection gets you to compliance with the Fourth Amendment, it’s unclear whether the minimization provided for this collection does, and given Bates’ ruling, there’s reason to believe it does not.
Neither Congress nor the FISA Court oversee this collection closely
This is the part of the WaPo story that a guy like Ben who wails NAKED! every time someone questions whether there’s adequate oversight ought to have noted. A single source claimed this program includes checks and balances. But as WaPo lays out, these aren’t checks and balances like those protecting other US person collections.
A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”
NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”
In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.
[snip]
Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. Read more →