[Editor’s Note: Just Security is holding a “mini forum” on the Report by the President’s Review Group on Intelligence and Communications Technologies. Others in the series include a post by Marty Lederman analyzing the Report’s highlights, a post by David Cole and Marty Lederman analyzing how metadata is used under section 215, a post by Jennifer Granick discussing the implications for non-US persons (with a follow-up post by Jennifer), and a post by Ryan Goodman discussing the effectiveness of the section 215 metadata program.]

I wanted to dilate briefly on the Review Group’s description of how collection under section 702 operates, which Marty highlighted in his post, taking special note of what may sound like supererogatory, self-imposed limits on collection that are not to be found in the statute itself:

“[C]ontrary to some representations, section 702 does not authorize NSA to acquire the content of the communications of masses of ordinary people.  To the contrary, section 702 authorizes NSA to intercept communications of non-United States persons who are outside the United States only if it reasonably believes that a particular ‘identifier’ (for example, an e-mail address or a telephone number) is being used to communicate foreign intelligence information related to such matters as international terrorism, nuclear proliferation, or hostile cyber activities.”  (Italics in original.)

 

Marty characterizes the bolded sections as describing two “limitations” on 702 collection that do not appear to be required by the statutory text, though he notes that they may reflect additional constraints imposed by the FISC. This is an important distinction to make, of course, because procedures imposed by the FISC or by internal guidelines can be secretly changed at any time—so it is important to be cognizant that none of this is explicitly in the statute, though the Review Group opted to use language that implies otherwise. But I also want to question how far these are really “limitations” even in that weaker sense.

The 702 language, codified at 50 U.S.C. §1881a, permits the NSA to acquire any type of “foreign intelligence information,” which is defined extraordinarily broadly to encompass, inter alia, anything that relates to the “conduct of the foreign affairs of the United States.” But here we have the Review Group suggesting repeatedly that 702 surveillance is only for acquiring certain specific types of foreign intelligence information, related to nuclear proliferation, international terrorism, or cybersecurity. Have the intelligence agencies or the FISC imposed a more restricted reading of “foreign intelligence information” than the FISA statute does? I doubt it.

First, the Review Group isn’t claiming their list is exhaustive—702 surveillance may gather intelligence related to “such matters as” the named categories. Second, as the preceding discussion in the report makes reasonably clear, these broad categories aren’t really independent constraints on targeting: At the highest level of abstraction, they are the targets.  If I’m reading this correctly, the certifications issued jointly each year by the AG and DNI aren’t each authorizing collection on anything as specific as (say) “Iran” or “Al Qaeda.” Rather, they’re annually authorizing “intelligence collection targeting categories of non-U.S persons abroad,” as AG Holder and DNI Clapper characterized their joint certifications in a 2012 letter to Congress, using language language the Review Group echoes almost verbatim. So this is a limitation built into the statute only in the very loose sense that any 702 collection has to be linked to at least one of these extremely broad blanket certifications.  Nothing in the law prevents the AG and DNI from authorizing collection on other broad categories of intelligence targets, and indeed, nothing in the report really excludes the possibility that they already have.

The second big apparent restriction is that analysts may only task “particular identifiers” for interception, and only when they have grounds to believe the “identifier” is being used to convey intelligence information of a type specified by one of those annual authorizations. Two important things to bear in mind here.

First, in the context of other stories based on Snowden documents—in particular the Guardian report on XKeyscore—it would appear that the specific tasking for long term storage and review that the Review Group is discussing here is really part of a multi-stage process by which NSA begins with an enormous initial pool of data—probably including nearly everything they can vacuum in other than wholly U.S.-to-U.S. communications, which theoretically are filtered out—and winnows it down to a merely huge pool. As described in the Guardian story, the first phase of sifting that information may involve using “soft selectors” to hone in on traffic that exhibits a certain combination of characteristics: audio or written communications in a particular language, originating from or sent to a particular region, using encryption, using particular software, having visited certain websites, or whatever other general traits they might be interested in. The characteristics they’re filtering for might be known characteristics of an individual human target or group of targets, but it also sounds like they can just be more general indicia of suspicion, according to whatever profile they’re currently using. The XKeyscore tool then maps these “soft selectors” to the particular “hard selectors”—that is, IP addresses, e-mail addresses, or other online accounts—that fit the criteria.  We get accustomed to talking about this program and that authority, but it’s important to recognize that these are largely legal distinctions that may not map very accurately onto a collection process that I suspect looks rather more seamless and integrated from the analyst’s perspective.  Which is to say, it may be that for bookkeeping purposes, initial filtering on soft selectors generates hard selectors, and then analysts task only those “specific identifiers” for collection—but that doesn’t really tell us whether, as a practical matter, this is tantamount to just tasking the soft selectors directly.

Second, it matters a whole lot just what gets to count as a “specific identifier.”  E-mail addresses and phone numbers are suggested “for example,” but if—as seems quite likely—IP addresses, or ranges of IP addresses are admissible “identifiers,” that still leaves a lot of latitude to cast a pretty wide dragnet. Remember, the “person” who is the “target” of FISA surveillance need not be an individual human; groups and corporate entities are also “persons” as defined by FISA.  So it’s not much of a stretch to think that some “identifiers” might be linked, not to a particular individual human being’s account, but an entire Web site or corporate network. That seems consistent with what we see in the targeting guidelines published by The Guardian, which suggest that the foreign intelligence purpose criteria (not the foreign user criteria!) for tasking may be satisfied if:

Information indicates that Internet Protocol ranges and/or specific electronic identifiers or signatures (e.g., specific types of cryptology or steganography) are used almost exclusively by individuals associated with a foreign power or foreign territory, or are extensively used by individuals associated with a foreign power or foreign territory.

So we do have an explicit reference to Internet Protocol ranges lumped together with “specific electronic identifiers” as fair game for collection if they’re “extensively used by individuals associated with a foreign power or foreign territory.” Similarly, all identifiers at one “hop” from, or contained in the contact or buddy list of, a known target appear to themselves be taskable.

Necessarily, any kind of requirement that specific identifiers be employed for tasking will give you somewhat narrower and more limited collection than an indiscriminate vacuum cleaner approach. But again, you can cast a pretty wide dragnet that still falls well short of collecting everything; how significantly the “specific identifier” requirement for 702 collection actually limits intake depends on details we don’t yet know.