The PCLOB Report and Eight Questions About Section 702

Note: The views expressed below are my own and do not necessarily represent the views of PCLOB or its other Board members.

On July 2, Professor Jennifer Granick posed the question: “Did PCLOB Answer My Eight Questions About Section 702?” She concludes that her questions went largely unanswered in the Privacy and Civil Liberties Oversight Board’s report (hereinafter, “PCLOB report”) issued earlier that day, on the surveillance program operated under Section 702 of the Foreign Intelligence Surveillance Act. As explained below, I challenge that assessment. The PCLOB’s report offers what I believe to be the most detailed account anywhere of how an active intelligence program currently works in practice. The Board pushed hard to declassify a great deal about the Section 702 program, and this effort was largely successful: our report led to the declassification of a substantial amount of information regarding the program’s operation. I recommend that anyone interested in the Section 702 program carefully read our full – and very long – report. While the Board was given complete access to information and personnel involved in the Section 702 program, it is true that some aspects of the program’s operation remain classified. Therefore, Professor Granick may not find that all of her questions have been fully answered.

What follows are Professor Granick’s original eight questions with responsive information and recommendations found in the report.

1. “How many of the 702 collected communications are of or concerning U.S. persons?”

The PCLOB investigated this question, which we noted “has been one of the biggest open questions about the program, and a continuing source of public concern.” PCLOB report at p. 146. Our review confirmed that the government does not know the answer. As one can imagine, it is not a simple matter to determine whether even a single email address (to which, say, a targeted person sends a communication) is used by a U.S. person, and making this determination may require spending considerable energy scrutinizing the contents of communications involving that email address or otherwise investigating the potential user of the email address. In light of these considerations, the government has expressed concerns about whether it is feasible to generate a number representing the scope of “incidental” collection under Section 702 in a manner that is accurate and also does not require government personnel to review communications or focus their attention on email users that otherwise might be ignored.

To date, this tension between the legitimate need to know the likelihood of an American’s communication being acquired, and concerns that attempting to obtain such a number will be privacy invasive and inaccurate, has led, as we state in the report, to an “impasse.” We do not believe this need be the case. As detailed in Recommendation 9 of our report, we believe that the government should – and, importantly, can – calculate and report certain numbers related to its acquisition, querying, and dissemination of Americans’ information that “collectively would shed some light on the extent to which communications involving U.S. persons or people located in the United States are being acquired and utilized under Section 702.” PCLOB report at p. 47.

2. “Do U.S. intelligence agencies have direct access to any communications providers/systems or networks? If not, how does NSA collect real time data via section 702?”

Pages 32 to 41 of the Board’s report discuss how the government collects data via Section 702. While we could not provide, in an unclassified report, a number of details regarding the technical means by which the NSA acquires information from providers, with respect to PRISM, we explain that the FBI, on behalf of the NSA, sends selectors to a provider that has been served with a Section 702 directive, and that such providers are “compelled to give the communications sent to or from [a tasked] selector to the government.” PCLOB report at p. 33. We also note that when the NSA decides, or is required, to “detask” a selector, the government sends a request to the provider to stop any further production of data and also uses technical systems to prevent further receipt from the provider by the government. PCLOB report at p. 34.

With respect to upstream collection, we explain that selectors are sent to service providers who maintain the Internet “backbone,” who also are compelled to provide assistance. PCLOB report at p. 36-37. We also supply some important details about the upstream collection process, notably that Internet “transactions” are first filtered to eliminate potentially domestic transactions, and only then are screened for the presence of tasked selectors. PCLOB report at p. 37. We further explain that while upstream collection “may require access to a larger body of international communications than those that contain a tasked selector,” nevertheless, “the government has no ability to examine or otherwise make use of this larger body of communications, except to promptly determine whether any of them contain a tasked selector. Only those communications (or more precisely, ‘transactions’) that contain a tasked selector go into government databases.” PCLOB report at p. 111 n.476.

3. “Can PRISM operate with higher levels of assurance that the person on the other end of the line is a foreigner?”

As Professor Granick observes, the Board’s report debunks the myth that individuals may be targeted if there is a 51% likelihood that they are located outside the United States. Our review confirmed that a person may be targeted only after an individualized determination that he or she is a non-U.S. person, reasonably believed to be located outside the United States, who is assessed to possess or be likely to communicate or receive foreign intelligence information authorized by a Section 702 certification. And “[i]f there is conflicting information indicating whether a target is located in the United States or is a U.S. person, that conflict must be resolved and the user must be determined to be a non-U.S. person reasonably believed to be located outside the United States prior to targeting.” PCLOB report at p. 44.

Despite press accounts suggesting that the NSA’s “foreignness” determinations are superficial, we found the process to be rigorous. Analysts may not under targeting rules, for example, conclude that someone is a non-U.S. person or located outside the United States merely because he or she speaks a foreign language. In addition, there are several layers of oversight – including a review by the Department of Justice of every targeting decision – to prevent targeting individuals on such a clearly insufficient basis. As we note in the report, the targeting process does not involve a probable cause standard, but “once a targeting decision has been made, that is not the end of the story. Soon after collection on a selector begins, analysts must review a sample of the communications that have recently been collected, to ensure that the email address or other selector actually is associated with the person whom the NSA intended to target, and that this person is a foreigner located outside the United States. Additional measures are employed to re-verify the validity of continued collection against the selector.” PCLOB report at p. 118; see also pp. 48-49.

Based on the required post-tasking checks that the NSA conducts to routinely reevaluate whether the users of tasked selectors are Americans or located in the United States, the Department of Justice’s review in 2013 concluded that “0.4% of NSA’s targeting decisions resulted in the tasking of a selector that, as of the date of tasking, had a user in the United States or who was a U.S. person.” PCLOB report at p. 34. While the results of this review may not provide a definitive number, the extremely low error rate is consistent with our observations about the rigor of the process for assessing foreignness.

4. “What is the national security value of authorizing warrantless surveillance of people who are not agents of foreign powers?”

Foreigners may be targeted under Section 702 if they are assessed to “possess, are expected to receive, or are likely to communicate foreign intelligence information” that falls within one of the Section 702 certifications.” PCLOB report at p. 22. As we note, “people who might have knowledge about a suspected terrorist can be targeted even if those people are not themselves involved in terrorism or any illegitimate activity.” PCLOB report at p. 106. In other words, one need not be an agent of a foreign power to have information about an agent of a foreign power that qualifies as foreign intelligence information.

5. “What kinds of selectors do intelligence agencies use when conducting “about” collection?”

No selectors are used exclusively for “about” collection. As we explain in the report, “about” collection is a subset of upstream collection, and the selectors that result in the acquisition of “about” communications are the same ones that result in the acquisition of “to/from” communications.

As is apparent from our report, upstream collection was a topic on which the Board focused particular attention. Accordingly, we were informed about the types of selectors that are and could permissibly be used by the government in conducting Section 702 acquisition. That said, classification issues make this one of the most difficult topics to discuss publicly. It is important to remember, however, that the scope of the NSA’s acquisition is limited not only by the types of selectors that can be used to engage in Section 702 collection but, even more importantly, by the rules that presently govern the use of all types of selectors. Understanding how those rules limit the nature of collection was critical to the Board’s conclusion that Section 702 is not a bulk surveillance program.

More specifically, every selector used for upstream collection (as for PRISM collection) must be “a specific communications identifier.” PCLOB report at p. 123. The report further explains that “although the selectors that the government could use are not limited to telephone numbers and email addresses, the government is not creatively interpreting the meaning of ‘selector’ to engage in bulk collection under Section 702. Even in the complex realm of Internet communications, a selector always must be associated with a specific person or entity.” PCLOB report at p. 112. As the report notes, the definition of “person” is “broad, but not limitless: a foreign government or international terrorist group could qualify as a “person,” but an entire foreign country cannot be a “person” targeted under Section 702. PCLOB report at p. 21.

To savvy readers, this may at first seem to offer cold comfort, because one can easily imagine scenarios in which an entity like a terrorist organization is “targeted” through collection that is aimed at a specific selector but that sweeps in the communications of wide swaths of people who also use the selector, but are not part of the targeted entity. However, there is a further, critical limitation: under the FISC’s interpretation of the NSA targeting procedures, regardless of the type of selector that is tasked, “the users of any tasked selector are considered targets – and therefore only selectors used by non-U.S. persons reasonably believed to be located abroad may be tasked.” PCLOB report at pp. 32-33. Furthermore, in tasking any selector, again regardless of what type of selector it is, “if a U.S. person or a person located in the United States is determined to be a user of [the] selector, that selector may not be tasked to Section 702 acquisition or must be promptly detasked if the selector has already been tasked.” PCLOB report at p. 33. While the evident purpose of this rule is to ensure that U.S. persons are not targeted under Section 702, its practical effect is to prevent the use of any selector so broad in nature that the government could not reasonably ensure that none of the users will be U.S. persons or people located in the United States.

These rules are complex, and classification limitations require the omission of key details in discussing them. Nonetheless, under the targeting procedures approved by the FISA court, tasking selectors in any way that could fairly be characterized as “bulk” collection is prohibited, in no small part because it would result in the targeting of U.S. persons or people in the United States, which is barred by the statute. The scope of collection under Section 702 is large because the number of targets is large – roughly 89,000 as of last year – not because the program operates on the “collect it all, then sort it later” model that characterizes the NSA’s Section 215 telephone records program.

The requirement that selectors be specific communications identifiers also means that selectors cannot be key words or terms. Critically, this ensures that “the government’s collection devices are not searching for references to particular topics or ideas, but only for references to specific communications selectors used by people who have been targeted under Section 702.” PCLOB report at p. 123.

6. “Do intelligence agencies minimize address books, buddy lists, stored documents, system backups and/or other electronic transmissions where there is no human being on the received end of the transmission as “communications” under the minimization procedures? Or are those fair game?”

The report answers this question directly: “Everything that is collected under Section 702 is treated as a ‘communication’ and therefore is protected by the applicable minimization procedures.” PCLOB report at p. 127 n. 524. As explained elsewhere in the report, the statute itself “requires that all acquired data be subject to minimization procedures.” PCLOB report at p. 50 (emphasis added).

7. “How many times and about how many different people has NSA disclosed section 702 data to CIA, FBI, DEA, IRS or other law enforcement agencies?”

In addition to the NSA, the CIA and FBI also have access to some unminimized PRISM data. PCLOB report at p. 34. Neither the CIA nor the FBI has access to unminimized Section 702 telephony or upstream Internet data. PCLOB report at p. 35. No other agencies have access to unminimized Section 702 data. As discussed in detail in the report, and the subject of the Board’s Recommendation 2, the FBI can conduct queries of its Section 702 data to identify evidence of a crime, as well as use and disseminate evidence of a crime.

With respect to minimized data, the report notes the NSA’s extensive dissemination of information that it has determined to be foreign intelligence information, in the form of intelligence reports. The NSA’s dissemination of intelligence reports based on Section 702 collection is substantial, and a “significant number of such reports … (albeit a small percentage of the total) … include reference to U.S. persons.” While “U.S. person information in these reports typically is initially ‘masked’ to hide personally identifying information …. last year the NSA ‘unmasked’ approximately 10,000 U.S. person identities” in response to requests from recipients of those reports. PCLOB report at p. 132. The NSA’s reporting to other agencies of potential violations of the law involving U.S. persons that did not constitute foreign intelligence was far smaller: the NSA made ten such disseminations in 2013, to the DOJ and FBI. See PCLOB report at p. 132.

As a transparency measure, the Board’s Recommendation 9 proposes, among other things, that the NSA should annually report the number of instances in which the NSA disseminates non-public information about U.S. persons and should clearly indicate how much of that information involves individuals, as opposed to, say, a reference to a U.S.-based company. To the extent consistent with national security, the Board recommended that these numbers be made public.

8. “What is the legal basis for searching section 702 data for U.S. person identifiers, and what are the applicable guidelines for doing so, if any?”

At the Board’s request, the government shared with us its legal rationale for conducting queries using U.S. person identifiers, and the government’s position can now be seen in pages 55 to 59 of its unclassified response to the motion to suppress in the Mohamud case in the District of Oregon. As for the applicable guidelines, as Professor Granick notes, the Board’s report discusses the NSA, CIA, and FBI U.S. person query procedures quite extensively. The Board believed it was critical to its analysis and the public’s understanding that our report include not just the numbers of such queries but also the rules governing these queries and the oversight regime reviewing them. As indicated in our separate statement, Board Member Patricia Wald and I would go a step further and require FISA court approval for queries both for foreign intelligence and criminal purposes.

The PCLOB’s Section 702 report devotes over sixty pages to describing the structure and operations of the Section 702 program – apart from the Board’s legal analysis, policy discussion, and explanations for its recommendations. The Board assessed the program to be legal and effective in preventing terrorism. But that is not to say that the Board found that the program raises no privacy or civil liberties concerns. To the contrary, the Board unanimously made a series of recommendations bearing on targeting, collection, querying, oversight, and transparency that we believe will allow the Section 702 program to more appropriately balance national security with privacy and civil liberties.