Last week, we argued that the public discussion surrounding two of the government’s most controversial mass surveillance programs – PRISM and Upstream – has not sufficiently acknowledged the broad scope of collection under these programs, which take place under section 702 of the Foreign Intelligence Surveillance Act (FISA). In short, hiding behind the counterterrorism justifications for section 702 is a broad surveillance program that sucks up massive amounts of irrelevant private data.

Today we show why, even though digital surveillance conducted under section 702 is directed overseas, such efforts collect substantial amounts of Americans’ private data. Next week we show how that data can be used for multiple purposes that have nothing to do with foreign intelligence or national security, including criminal investigations.

Our efforts come as lawmakers begin to debate the merits of the PRISM and Upstream surveillance programs ahead of section 702’s December 31, 2017 sunset date. We hope to clear misperceptions about the nature of a surveillance regime that is inconsistent with both the US Constitution’s “reasonableness” requirement as well as international human rights norms that require surveillance to be necessary and proportionate. 

Section 702 Programs Gather a Substantial Amount of US Persons’ Communications

Section 702 proponents emphasize the FISA statute’s requirement that surveillance under the 702 provision only target non-US persons located abroad. They then push the seductive (but false) implication that this requirement means section 702 does not materially affect Americans. For example, during the 2012 FISA reauthorization debate, former House Intelligence Committee Chairman Mike Rogers (R-MI) acknowledged that the law might permit surveillance of Americans, but that this would happen “only very rarely.” In 2013, shortly after newspapers revealed details of the PRISM program, Director of National Intelligence James R. Clapper issued a statement reassuring the public that section 702 cannot be used to intentionally target any US citizen or anyone located within the United States. Director Clapper also emphasized that agencies conducting section 702 surveillance must follow procedures meant to minimize the acquisition, retention, and dissemination of incidentally acquired information about US persons.

Nevertheless, a recently declassified FISA Court (FISC) opinion from November 2015 confirmed what many people already suspected – section 702 actually sweeps up “substantial quantities” of information concerning US persons. In other words, the surveillance program subjects Americans to extensive, warrantless surveillance. This broad collection of communications may be politically palatable when Americans are talking to terrorists — the implication is that this “incidental” collection is minor and necessary for public safety. However, as explained above, foreign targets are not necessarily terrorism suspects, or wrongdoers of any kind. Section 702 contemplates surveillance targeting bureaucrats, scientists, aid workers – anyone of “foreign intelligence” interest. Because the sanctioned surveillance topics are so broad, a vast number of people, including Americans, routinely have their communications swept up with no national security benefit attached.

First, Americans are surveilled when they talk to foreign targets. The obvious case is international communications, where one of the parties is a target and the other is an American. However, this “incidental collection” is more extensive than one might think because of the very nature of the internet and the many different ways information is exchanged throughout it. For example, internet messages are commonly multi-user communications taking place in chat rooms and on social networks. If even one participant is foreign, communications from all the other people participating may be subject to section 702 collection.  In other words, a single target can justify surveillance of tens or hundreds of other people, some of which may be US persons on US soil.

Second, Americans’ communications are collected as part of section 702’s Upstream collection program. Under the program, the government “tasks” a given selector (such as an email address or phone number) in the stream of internet data flowing through particular network gateways (known as the “internet backbone”). If the stream of internet packets contains the selector, the Upstream program will acquire the entire “internet transaction” containing that selector. Some transactions only include one communication (Single Communications Transactions – SCT’s), while others contain multiple discreet communications (Multiple Communications Transactions – MCT’s). Because of the way the NSA conducts Upstream collection, if any communication within an SCT or MCT is “to,” “from,” or even “about” a tasked selector, the entire transaction is collected. The collection of MCT’s further removes the nexus between the communicants and the intended target because any communication that is embedded within a transaction that happens to include a communication that so much as mentions the targeted selector can get swept up. This includes wholly domestic communications.

Changeable Minimization Procedures Allow US-Person Information to be Retained, Disseminated, and Used

Congress anticipated that Americans’ communications would get swept up through warrantless section 702 surveillance, so they required the adoption of “minimization procedures” as a way to control the retention, dissemination, and use of nonpublic, non-consenting US-person information. The statute requires the procedures to be consistent with the government’s need to “obtain, produce, and disseminate” foreign intelligence information, and to permit the retention and dissemination of evidence of any crime. As a result, there are still many ways in which communications of or about innocent Americans can not only be collected under section 702, but can also remain in government databases for several years at a time and be used for a variety of purposes unrelated to national security or counterterrorism.

In response to recommendations made by the Privacy and Civil Liberties Oversight Board (PCLOB), the ODNI has made an effort to declassify the minimization procedures used by intelligence agencies as part of their section 702 surveillance practices. Most recently, in August 2016, the 2015 minimization procedures for the NSA, the CIA, the FBI, and the NCTC were partially declassified. Although declassifying the minimization procedures is a welcome step in the right direction, we still do not know when the rules apply and when the intelligence agencies may disregard them. For example, the 2015 minimization procedures for the NSA, the CIA, and the FBI state that “[n]othing in these procedures shall prohibit the retention, processing, or dissemination of information reasonably necessary to comply with specific constitutional, judicial or legislative mandates.” The apparent ability of agencies to deviate from the minimization procedures based on unspecified “mandates” undermines the anemic privacy safeguards those procedures contain. The FISC cannot ensure that the procedures meet either statutory or constitutional requirements in the face of such a vague exception. FISC Judge Thomas F. Hogan was aware of this problem when he nevertheless approved the NSA and the CIA procedures in November 2015. Without fully explaining his conclusion, Judge Hogan concluded the vague language was not as problematic as it seemed, referring to informal conversations in which NSA and CIA officials said they planned to only use this exception to the minimization procedures sparingly.

Beyond this worrisome language that appears to permit agencies to disregard their minimization procedures when they decide that doing so comports with some unspecified “mandate,” there are additional flaws to the most recently declassified procedures that allow Americans’ communications to be retained, searched, and used by a range of government agencies without a warrant or other judicial oversight. First, Americans’ communications are generally fair game for retention, use, and dissemination if one participant at the other end of the communication is outside the United States. Such communications are deemed “foreign communications” despite the fact that at least part of the communication involves a US person. Defenders of the section 702 program may point out that during such “incidental” collection, the foreign end of the communication has likely been identified as a target of interest for surveillance. As explained above, however, it can be alarmingly easy to become such a target under the section 702 statute and the policy guidelines that go with it. Moreover, in all other contexts Americans cannot be subject to incidental collection in the first place unless an investigator has obtained a search warrant or Title III interception order based on probable cause from a judge – a critical oversight mechanism that is absent in the section 702 context.

Once these “foreign” communications get swept up, they can be retained in one or more databases at the NSA, the CIA, and the FBI for a number of years. They can remain in the NSA’s database, for example, between two to five years, depending on whether they were gathered via the Upstream or PRISM collection program. They may be retained longer under a variety of circumstances, such as when they are encrypted or may be used to help decrypt other encrypted communications. Given the growing proportion of communications that are encrypted by default, this is one of the most significant loopholes to the retention limitations.

In addition, although the NSA may only pass US-person information on to other government entities if the identity of the US person is concealed, there are several exceptions to this rule – such as when the communication or information is “reasonably believed to contain evidence that a crime has been, is being, or is about to be committed.” Moreover, whether or not irrelevant US-person information must be minimized largely depends on whether or not the communicant is “known” to be a US person. The minimization procedures contain a presumption that people outside the US or whose location is unknown are “foreign” until there is evidence demonstrating otherwise. This presumption undermines assurances that US-person information that does not meet the requirements for retention will be destroyed “upon recognition,” since such assurances will only apply when that information is “known” to belong to or concern US persons. In practice, the chances of the agencies actually determining that a domestic communication is not the communication of a foreigner are slim, both because it is technologically difficult to determine for certain whether or not a communication belongs to or is about a US person, as well as because agencies do not scrutinize each and every communication to make such a determination.

Even if a communication is of or about a US person and irrelevant to foreign intelligence or crime, the NSA minimization procedures only require destruction “at the earliest practicable point” before the retention limit when such communications are “clearly” not relevant to the authorized purpose of collection (such as the acquisition of foreign intelligence information) or evidence of a crime. During the PCLOB’s public hearing on section 702, the NSA’s then-General Counsel admitted that it is often “difficult” to determine the foreign intelligence value of a particular piece of information at a given time, and the PCLOB concluded that, in reality, the “destroyed upon recognition” requirement rarely happens.

Finally, despite some improvements to the minimization procedures since the Edward Snowden leaks, there are still significant loopholes to the minimization procedures’ purging requirements that allow communications that took place entirely within the United States to be retained, searched, and disseminated. For example the NSA’s procedures require that all domestic communications (including, if applicable, the entire internet transaction in which such communications were contained) be destroyed upon recognition. The NSA director, however, may waive this requirement on a communication-by-communication basis when he determines that one side of the domestic communication was properly targeted under section 702 and at least one of several circumstances apply, such as when the communication is “reasonably believed” to contain significant foreign intelligence information, evidence of a crime, or to be information that can be used for cryptanalytic purposes. The CIA and the FBI 2015 minimization procedures contain similar exceptions, but they do not require that one side of the communication belong to a properly targeted individual.  It is troubling that there are so many situations in which communications between people on US soil may be retained and used as part of a surveillance program purportedly geared towards foreign intelligence and national security. The fact that a very senior official at the intelligence agencies must approve of the retention on a case-by-case basis should help, but increased transparency in this area would help reassure the American public that this exception to the purging requirement is not being overused.

At the end of the day, the NSA is sweeping up vast amounts of Americans’ communication data for reasons other than public safety and national security. It is then allowed to retain, repurpose, and disseminate that information for other government pursuits. This is hardly consistent with the justifications presented by proponents of this type of mass spying. Next week, we will explain how warrantlessly acquired section 702 information is searched and used for a variety of domestic purposes unrelated to counterterrorism or even foreign affairs.

A version of this post with footnotes is available here.