Privacy and Civil Liberties Oversight Board Releases Report on Section 702 Surveillance (Full Text)

On Tuesday evening, the Privacy and Civil Liberties Oversight Board (PCLOB)—an independent body within the Executive Branch—released a major report concerning the National Security Agency’s electronic surveillance program under section 702 of the Foreign Act Surveillance Act. (The full text of the report entitled, “Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act,” is available here).

The report, released at 9pm EST on Tuesday night, is labeled a “pre-release copy of the report,” which the Board wanted to make “available for members of the press and public to preview the Board’s findings and recommendations.” The report will become official after the Board formally votes on it on Wednesday morning, according to an announcement on the organization’s website.

[For earlier coverage at Just Security on the section 702 program, see here.]

The Executive Summary of the Report contains a section on “Legal Analysis,” a section on “Policy Analysis,” and 10 specific recommendations. Those sections of the Executive Summary are excerpted in full below.

I. Overview of the Report

B. Legal Analysis

The Board’s legal analysis of the Section 702 program includes an evaluation of whether it comports with the terms of the statute, an evaluation of the Fourth Amendment issues raised by the program, and a discussion of the treatment of non-U.S. persons under the program.

In reviewing the program’s compliance with the text of Section 702, the Board has assessed the operation of the program overall and has separately evaluated PRISM and upstream collection. On the whole, the text of Section 702 provides the public with transparency into the legal framework for collection, and it publicly outlines the basic structure of the program. The Board concludes that PRISM collection is clearly authorized by the statute and that, with respect to the “about” collection, which occurs in the upstream component of the program, the statute can permissibly be interpreted as allowing such collection as it is currently implemented.

The Board also concludes that the core of the Section 702 program — acquiring the communications of specifically targeted foreign persons who are located outside the United States, upon a belief that those persons are likely to communicate foreign intelligence, using specific communications identifiers, subject to FISA court–approved targeting rules and multiple layers of oversight — fits within the “totality of the circumstances” standard for reasonableness under the Fourth Amendment, as that standard has been defined by the courts to date. Outside of this fundamental core, certain aspects of the Section 702 program push the program close to the line of constitutional reasonableness. Such aspects include the unknown and potentially large scope of the incidental collection of U.S. persons’ communications, the use of “about” collection to acquire Internet communications that are neither to nor from the target of surveillance, and the use of queries to search for the communications of specific U.S. persons within the information that has been collected. With these concerns in mind, this Report offers a set of policy proposals designed to push the program more comfortably into the sphere of reasonableness, ensuring that the program remains tied to its constitutionally legitimate core.

Finally, the Board discusses the fact that privacy is a human right that has been recognized in the International Covenant on Civil and Political Rights (“ICCPR”), an international treaty ratified by the U.S. Senate, and that the treatment of non-U.S. persons in U.S. surveillance programs raises important but difficult legal and policy questions. Many of the generally applicable protections that already exist under U.S. surveillance laws apply to U.S. and non-U.S. persons alike. The President’s recent initiative under Presidential Policy Directive 28 on Signals Intelligence (“PPD-28”) will further address the extent to which non-U.S. persons should be afforded the same protections as U.S. persons under U.S. surveillance laws.Because PPD-28 invites the PCLOB to be involved in its implementation, the Board has concluded that it can make its most productive contribution in assessing these issues in the context of the PPD-28 review process.

C. Policy Analysis

The Section 702 program has enabled the government to acquire a greater range of foreign intelligence than it otherwise would have been able to obtain — and to do so quickly and effectively. Compared with the “traditional” FISA process under Title I of the statute, Section 702 imposes significantly fewer limits on the government when it targets foreigners located abroad, permitting greater flexibility and a dramatic increase in the number of people who can realistically be targeted. The program has proven valuable in the government’s efforts to combat terrorism as well as in other areas of foreign intelligence. Presently, over a quarter of the NSA’s reports concerning international terrorism include information based in whole or in part on Section 702 collection, and this percentage has increased every year since the statute was enacted. Monitoring terrorist networks under Section 702 has enabled the government to learn how they operate, and to understand their priorities, strategies, and tactics. In addition, the program has led the government to identify previously unknown individuals who are involved in international terrorism, and it has played a key role in discovering and disrupting specific terrorist plots aimed at the United States and other countries.

The basic structure of the Section 702 program appropriately focuses on targeting non-U.S. persons reasonably believed to be located abroad. Yet communications of, or concerning, U.S. persons can be collected under Section 702, and certain features of the program implicate privacy concerns. These features include the potential scope of U.S. person communications that are collected, the acquisition of “about” communications, and the use of queries that employ U.S. person identifiers.

The Board’s analysis of these features of the program leads to certain policy recommendations.

The government is presently unable to assess the scope of the incidental collection of U.S. person information under the program. For this reason, the Board recommends several measures that together may provide insight about the extent to which communications involving U.S. persons or people located in the United States are being acquired and utilized.

With regard to the NSA’s acquisition of “about” communications, the Board concludes that the practice is largely an inevitable byproduct of the government’s efforts to comprehensively acquire communications that are sent to or from its targets. Because of the manner in which the NSA conducts upstream collection, and the limits of its current technology, the NSA cannot completely eliminate “about” communications from its collection without also eliminating a significant portion of the “to/from” communications that it seeks. The Board includes a recommendation to better assess “about” collection and a recommendation to ensure that upstream collection as a whole does not unnecessarily collect domestic communications.

The Report also assesses the impact of queries using “United States person identifiers.” At the NSA, for example, these queries can be performed if they are deemed “reasonably likely to return foreign intelligence information.” No showing of suspicion that the U.S. person is engaged in any form of wrongdoing is required, but procedures are in place to prevent queries being conducted for improper purposes. The Board includes two recommendations to address the rules regarding U.S. person queries.

Overall, the Board finds that the protections contained in the Section 702 minimization procedures are reasonably designed and implemented to ward against the exploitation of information acquired under the program for illegitimate purposes. The Board has seen no trace of any such illegitimate activity associated with the program, or any attempt to intentionally circumvent legal limits. But the applicable rules potentially allow a great deal of private information about U.S. persons to be acquired by the government. The Board therefore offers a series of policy recommendations to ensure that the program appropriately balances national security with privacy and civil liberties.

II. Recommendations

A. Targeting and Tasking

Recommendation 1: The NSA’s targeting procedures should be revised to (a) specify criteria for determining the expected foreign intelligence value of a particular target, and (b) require a written explanation of the basis for that determination sufficient to demonstrate that the targeting of each selector is likely to return foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. The NSA should implement these revised targeting procedures through revised guidance and training for analysts, specifying the criteria for the foreign intelligence determination and the kind of written explanation needed to support it. We expect that the FISA court’s review of these targeting procedures in the course of the court’s periodic review of Section 702 certifications will include an assessment of whether the revised procedures provide adequate guidance to ensure that targeting decisions are reasonably designed to acquire foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. Upon revision of the NSA’s targeting procedures, internal agency reviews, as well as compliance audits performed by the ODNI and DOJ, should include an assessment of compliance with the foreign intelligence purpose requirement comparable to the review currently conducted of compliance with the requirement that targets are reasonably believed to be non-U.S. persons located outside the United States.

B. U.S. Person Queries

Recommendation 2: The FBI’s minimization procedures should be updated to more clearly reflect the actual practice for conducting U.S. person queries, including the frequency with which Section 702 data may be searched when making routine queries as part of FBI assessments and investigations. Further, some additional limits should be placed on the FBI’s use and dissemination of Section 702 data in connection with non–foreign intelligence criminal matters.

Recommendation 3: The NSA and CIA minimization procedures should permit the agencies to query collected Section 702 data for foreign intelligence purposes using U.S. person identifiers only if the query is based upon a statement of facts showing that it is reasonably likely to return foreign intelligence information as defined in FISA. The NSA and CIA should develop written guidance for agents and analysts as to what information and documentation is needed to meet this standard, including specific examples.

C. FISA Court Role

Recommendation 4: To assist in the FISA court’s consideration of the government’s periodic Section 702 certification applications, the government should submit with those applications a random sample of tasking sheets and a random sample of the NSA’s and CIA’s U.S. person query terms, with supporting documentation. The sample size and methodology should be approved by the FISA court.

Recommendation 5: As part of the periodic certification process, the government should incorporate into its submission to the FISA court the rules for operation of the Section 702 program that have not already been included in certification orders by the FISA court, and that at present are contained in separate orders and opinions, affidavits, compliance and other letters, hearing transcripts, and mandatory reports filed by the government. To the extent that the FISA court agrees that these rules govern the operation of the Section 702 program, the FISA court should expressly incorporate them into its order approving Section 702 certifications.

D. Upstream and “About” Collection

Recommendation 6: To build on current efforts to filter upstream communications to avoid collection of purely domestic communications, the NSA and DOJ, in consultation with affected telecommunications service providers, and as appropriate, with independent experts, should periodically assess whether filtering techniques applied in upstream collection utilize the best technology consistent with program needs to ensure government acquisition of only communications that are authorized for collection and prevent the inadvertent collection of domestic communications.

Recommendation 7: The NSA periodically should review the types of communications acquired through “about” collection under Section 702, and study the extent to which it would be technically feasible to limit, as appropriate, the types of “about” collection.

E. Accountability and Transparency

Recommendation 8: To the maximum extent consistent with national security, the government should create and release, with minimal redactions, declassified versions of the FBI’s and CIA’s Section 702 minimization procedures, as well as the NSA’s current minimization procedures.

Recommendation 9: The government should implement five measures to provide insight about the extent to which the NSA acquires and utilizes the communications involving U.S. persons and people located in the United States under the Section 702 program. Specifically, the NSA should implement processes to annually count the following: (1) the number of telephone communications acquired in which one caller is located in the United States; (2) the number of Internet communications acquired through upstream collection that originate or terminate in the United States; (3) the number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work; (4) the number of queries performed that employ U.S. person identifiers, specifically distinguishing the number of such queries that include names, titles, or other identifiers potentially associated with individuals; and (5) the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals. These figures should be reported to Congress in the NSA Director’s annual report and should be released publicly to the extent consistent with national security.

F. Efficacy

Recommendation 10: The government should develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs

 

 

About the Author(s)

Ryan Goodman

Co-Editor-in-Chief of Just Security, Anne and Joel Ehrenkranz Professor of Law at New York University School of Law, former Special Counsel to the General Counsel of the Department of Defense (2015-2016) Follow him on Twitter @rgoodlaw.