Posts

Section 309: A Band-Aid for a Gaping Wound in Democracy

Someone surveilling our conversation "connection chained" Bob Litt and I while chatting at CATO.

Metadata: Someone surveilling our conversation “connection chained” Bob Litt and me chatting about spying on Americans in the Hayek Auditorium at CATO on 12/12/14.

On Friday, officials from James Clapper’s office confirmed in a number of different ways that the government obtains “vast troves” of Americans’ communication overseas. And rather than enforce Dianne Feinstein and Mark Udall’s suggestion that the intelligence community treat it under FISA — as the spirit of FISA Amendment Acts, which extended protection to Americans abroad, would support — Congress instead passed Section 309, a measure to impose limited protections on vast unregulated spying on Americans.

This all happened at CATO’s conference on surveillance, an awesome conference set up by Julian Sanchez.

My panel (moderated very superbly by Charlie Savage) revisited at length the debate between former State Department whistleblower John Napier Tye and Director of National Intelligence Civil Liberties Officer Alex Joel (into which I stuck my nose). As he did in his Politico post responding to Tye’s alarms about the risk of EO 123333 collection against Americans to democracy, Joel pointed to the topical limits on bulk collection Obama imposed in his Presidential Policy Directive 28, which read,

The United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats. Routine communications and communications of national security interest increasingly transit the same networks, however, and the collection of signals intelligence in bulk may consequently result in the collection of information about persons whose activities are not of foreign intelligence or counterintelligence value. The United States will therefore impose new limits on its use of signals intelligence collected in bulk. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.

In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.

I noted — as I did in my Salon piece on the topic — that bulk collection for even just one topic means the collection of everything, as counterterrorism serves as the excuse to get all phone records in the US in the phone dragnet. Joel did not dispute that, explaining that PPD-28 only limits the use of data that has been bulk collected to these six purposes. PPD-28 does nothing to limit bulk collection itself. Though the fact that these limitations have forced a change in how the NSA operates is testament that they were using data collected in bulk for even more reasons before January.

The NSA is, then, aspiring to collect it all, around the world.

Which was a point confirmed in an exchange between Joel and Tye. Joel claimed we weren’t collecting nearly all of the Internet traffic out there, saying it was just a small fraction. Tye said that was disingenuous, because 80% of Internet traffic is actually things like Netflix. Tye stated that the NSA does collect a significant percentage of the remainder (he implied most, but I’d want to see the video before I characterize how strongly he said that).

Again, collect it all.

Our panel didn’t get around to talking about Section 309 of the Intelligence Authorization, which I examined here. The Section imposes a 5 year retention limit on US person data except for a number of familiar purposes — foreign intelligence, evidence of a crime, encryption, all foreign participants, tech assurance or compliance, or an Agency head says he needs to retain it longer (which requires notice to Congress). Justin Amash had argued, in an unsuccessful attempt to defeat the provision, that the measure provides affirmative basis for sharing US person content collected under EO 12333.

In a later panel at the CATO conference, DNI General Counsel Bob Litt said that the measure doesn’t change anything about what the IC is already doing.  Read more

The Truth Missing from Alexander Joel’s “Truth” about EO 12333

Over at Salon, I’ve got a piece responding to Office of Director of National Intelligence Civil Liberties Officer Alexander Joel’s column purporting to describe the “truth” about EO 12333.

Click through to see this part of my argument:

  • Joel resorts to the tired old “target” jargon
  • Joel points to PPD 28, which rather than supporting his point, actually shows how broadly the NSA uses bulk collection and therefore how meaningless that “target” jargon is
  • Joel doesn’t address one of John Napier Tye’s points — that current technology allows the NSA to collect US person data overseas
  • We know they’re doing that in the SPCMA — the Internet dragnet authority conducted on Internet data collected overseas

But it’s Joel’s claim about oversight I find most problematic.

Oversight is extensive and multi-layered. Executive branch oversight is provided internally at the NSA and by both the Department of Defense and the Office of the DNI by agency inspectors general, general counsels, compliance officers and privacy officers (including my office and the NSA’s new Civil Liberties and Privacy Office). The Department of Justice also provides oversight, as do the Privacy and Civil Liberties Oversight Board and the president’s Intelligence Oversight Board. In addition, Congress has the power to oversee, authorize and fund these activities.

As I note in my piece, really what we have is single branch oversight. And that’s not going to prevent abusive spying.

Joel’s claim,”Oversight [of EO 12333 collection] is extensive and multi-layered,” rings hollow. He lists 4 oversight positions at 3 Executive branch agencies, then points to 3 more Executive branch agencies he claims have a role. Having the Executive oversee the Executive spying on Americans poses precisely the kind of threat to our democracy Tye raised.

Then Joel claims, “Congress has the power to oversee, authorize and fund these activities.” Of course, that’s different from Congress actually using that power. Moreover, the record suggests Congress may not currently have the power to do anything but defund such spying, assuming they even know about it. Senate Intelligence Committee Chair Dianne Feinstein admitted last August that her committee doesn’t receive adequate information on EO 12333 collection.  Joel’s boss, James Clapper, refused to answer a question from Senator Amy Klobuchar on EO 12333 violations in a hearing in October. And when Senator Mark Udall suggested a “vast trove” of Americans’ communications collected overseas should be provided the protections laid out in FISA, Assistant Attorney General John Carlin explained the National Security Division — the part of DOJ he oversees, which has a central role in oversight under FISA — would not have a role in that case because the collection occurred under EO 12333.

In his column, Joel makes no mention of the third branch of government: the Courts. That’s because, as ACLU’s Patrick Toomey laid out last week, the government doesn’t give defendants any notice if their prosecutions arise from data collected under EO 12333. Criminal prosecutions are where some of the most important oversight on Executive branch spying takes place. By exempting EO 12333 from any such notice, then, the government is bypassing another critical check on potentially abusive spying.

Back in 1978, our government decided that both Congress and the courts should have a role when the Executive branch spied on Americans. That was the entire premise behind the FISA law.  But by moving more and more of its spying overseas, the government can and — apparently, at least to a limited extent — is bypassing the oversight accorded through three branches of government.

FISA was written in 1978, before it became so easy to spy on Americans’ domestic communications overseas. FISA Amendments Act partly addressed the new technological reality — by giving the Executive permission to spy on foreigners domestically. But it provided inadequate protections — Sections 703-5 — in return. Those measures, requiring a Court order for targeting Americans who are themselves overseas (but not for targeting Americans’ data that transits overseas), simply don’t do enough to prevent the government from using this new technological reality from spying on Americans.