Show sidebar

Executive Order 12333 and the Golden Number

I recently moderated a debate between Professor Nathan Sales of Syracuse Law, Professor Laura Donohue of Georgetown Law, Bob Litt, general counsel of the Office of the Director of National Intelligence, and John Tye, the former head of the Internet Freedom section at the State Department who left government after filing whistleblower complaints alleging that the NSA’s collection practices abroad were unconstitutional. As a moderator, I had to be neutral. With the panel behind us, I am adding my voice to a growing chorus of people who are highly concerned with the NSA’s collection under Executive Order 12333, the Reagan-era authority that governs the NSA’s signals intelligence collection abroad.

To date, the intelligence community has responded to criticisms of 12333 with two principal rebuttals: (1) We cannot target Americans’ electronic communications under these authorities, and (2) To the extent we inevitably collect Americans’ electronic communications through Executive Order 12333, those data are subject to strict minimization requirements.

Since Tye’s op-ed, critics have countered that the use of the 12333 data (e.g. for law enforcement purposes) raises significant constitutional concerns.

These arguments about the proper scope of minimization are important and valid, but they do not address the core of Tye’s complaint. As he told Ars Technica: “My complaint is not that [the NSA is] using [Executive Order 12333] to target Americans. My complaint is that the volume of incidental collection on US persons is unconstitutional.” Too few people are focusing on the simple question that Tye is challenging us to ask: How many Americans’ communications are caught up in 12333 collection in the first place?

That number matters – a lot. It matters from a policy perspective: It may not make sense for Congress to allow a more lax set of collection and minimization standards for 12333 collection if those programs collect as much if not more Americans’ data than FISA collection. The number matters from a democratic perspective: Americans, and their elected officials, cannot reach an informed opinion of these programs if they don’t know how broadly they impact Americans.

Most critically, that number matters for the Fourth Amendment. Americans’ Fourth Amendment rights don’t stop at the border. Even where the acquisition of foreign intelligence information abroad is found to fall within the foreign intelligence exception to the warrant requirement, that acquisition must still satisfy the Fourth Amendment’s reasonableness requirement. (See Laura Donohue’s forthcoming Harvard Journal of Law and Policy article on section 702 for an in-depth discussion of the application of the reasonableness requirement abroad.)

If an “incidental” collection of an Americans’ data is too substantial, that collection may be rendered unreasonable by that fact alone. As Judge Bates wrote in his October 2011 opinion on section 702 collection:

[T]he acquisition of non-target information is not necessarily reasonable under the Fourth Amendment simply because its collection is incidental to the purpose of the search or surveillance. […] There surely are circumstances in which incidental intrusions can be so substantial as to render a search or seizure unreasonable.

Bates went on to clarify that an incidental collection of Americans’ data can be particularly problematic for Fourth Amendment purposes if the data are entirely unrelated to the targeted facility. “The distinction is significant and impacts the Fourth Amendment balancing,” he wrote.  Based on this reasoning, Judge Bates found that the NSA’s October 2011 proposed targeting and minimization procedures were not consistent with the Fourth Amendment.

Judge Bates did not reach this ruling because he discovered that the targeting procedures would result in the discovery of millions, or even hundreds of thousands of Americans’ communications. No, the offending acquisition collected “roughly two to ten thousand discrete wholly domestic communications […] as well as tens of thousands of other communications that are to or from a United States person or a person in the United States but that are neither to, from, nor about a targeted selector.” This bears repeating: Judge Bates found the 702 targeting procedures unconstitutional because they collected tens of thousands of U.S. person communications.

We need to know approximately how many Americans’ communications are collected under 12333. That’s the golden number. But we don’t know it. Apparently, neither does the NSA. In a December 2013 Washington Post article on the use of 12333 to collect cellphone location records, the NSA demurred an attempt to estimate how many Americans were swept up in that program:

“It’s awkward for us to try to provide any specific numbers,” one intelligence official said in a telephone interview. An NSA spokeswoman who took part in the call cut in to say the agency has no way to calculate such a figure.

Yet in that same story, a “senior collection manager, speaking on the condition of anonymity but with permission from the NSA,” appears to have told the Post that “data are often collected from the tens of millions of Americans who travel abroad with their cellphones every year.”

In a separate Post story in October 2013 on the use of 12333 to collect address books globally, two U.S. senior intelligence officials told Bart Gellman and Ashkan Soltani that that program sweeps in the contacts of many Americans. “They declined to offer an estimate but did not dispute that the number is likely to be in the millions or tens of millions,” wrote Gellman and Soltani.

Behind closed doors, the intelligence community seems to acknowledge a scale of 12333 collection on Americans that far outstrips the collection that Judge Bates found unconstitutional under section 702.

In the recent Georgetown Law debate, I asked Bob Litt whether it was acceptable that the intelligence community did not know how many Americans’ communications were caught up in 12333 – since some scale of such collection would render 12333 collection unreasonable and violate the Fourth Amendment. He answered:

We can’t give numbers but there is a data point you can use and that is that 702 collection by definition is going to be collection that’s passing through the United States. 12333 collection is not. One can assume that you’re more likely to collect a U.S. person communication under 702 than under 12333 as a result of that. And the courts have found that 702 collection is reasonable in this regard. So while you may not have the exact number, you can extrapolate from that and it suggests that the 12333 collection would be reasonable as well.

There are significant gaps in this reasoning. First, while electronic surveillance under 12333 cannot be conducted within the U.S., 12333 has been used to collect bulk records from American companies, many of which store or “mirror” purely domestic communications on international servers.

More importantly, Litt’s explanation overlooks the fact that 12333 is a bulk collection authority – while section 702 is not. Yes, 702 data pass through the United States. But at the end of the day, while section 702 collection may seem “bulky,” it is nonetheless an exclusively targeted collection authority. Section 702 can be used only to collect on communications to, from or (controversially) about a specific target. There aren’t an infinite number of targets. In 2013, there were 89,138 of them.

Executive Order 12333, by contrast, allows for pure bulk collectionof overseas electronic communications. There is no requirement that electronic surveillance under 12333 be targeted at a particular individual, organization or facility. A recent directive from the President (PPD-28) explains:

References to signals intelligence collected in “bulk” mean the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

(Emphasis mine.) Indeed, 12333 lets the government conduct any electronic surveillance, so long as it does so from a location abroad, so long as it does not affirmatively target a U.S. person, and so long as it is done for a “foreign intelligence or counterintelligence purpose.”

The resultant difference in scale of collection is significant. In his 2011 opinion, Judge Bates stated that NSA acquired over 250 million Internet communications annually under section 702; the Washington Post revealed that a single program under 12333 collected nearly 5 billion cellphone location records every day. This may be a bit of an apples-to-oranges comparison, but it’s an instructive one nonetheless. The untargeted nature and massive scope of 12333 collection strongly suggest that it may be used to collect far more U.S. person communications than are collected under section 702.

Moreover, because 12333 allows for bulk collection, it would seem to stand a high chance of capturing Americans’ communications that are, in fact, entirely unrelated to foreign intelligence – precisely the category of protected communications that Judge Bates found so problematic. Curiously, the new report on 12333 from the NSA’s Civil Liberties and Privacy Office explicitly excludes bulk collection from its analysis.

It would be great if Judge Bates could ask these questions. But he can’t. The FISC lacks jurisdiction over 12333 collection. And so it is on Congress – and on us – to fill in the gap. For section 702, the sponsors of the USA FREEDOM Act succeeded in adding a modest but nonetheless incrementally positive provision that would require the Director of National Intelligence to either annually disclose an estimate of the number of Americans affected by section 702 programs, or to provide a detailed, public explanation of why he or she cannot provide that figure (see subsection “(e)(4)” of section 603 of the bill).

At a bare minimum, a parallel requirement should be added for 12333. More importantly, however, civil liberties-minded technologists must work to develop a rigorous, peer-tested method to determine whether or not the party to a communication is a U.S. person – or, alternatively, if that individual is likely located in the United States. This method could then be used to analyze a statistically representative sample of 12333 data. We need a way to calculate the golden number.

As a former staffer who engaged in the lengthy process of developing the USA FREEDOM legislation, I can confirm that this was always a debate that we lost: We would ask the IC to commit to producing an estimate of U.S. person impact for section 702; they would respond that this would be “difficult if not impossible.” Engineers and mathematicians would do well to prove them wrong – and all of us would benefit.

Tags: , , , , , , , , , ,

About the Author

is Executive Director of the Georgetown Center on Privacy and Technology. From 2011 to August 2014, he was chief counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law.