An NSA site in Germany.
On Wednesday, the Republican chair of the House Intelligence Committee, Devin Nunes (R-CA), gave a press conference in which he reported that Trump transition team members’ communications were intercepted by US intelligence agencies through “incidental collection.” This follows on Nunes’ concerns, after Michael Flynn stepped down following intelligence reports that he had talked to the Russian ambassador. Nunes (R-Calif.) said then, “[t]he big problem I see here is that you have an American citizen who had his phone calls recorded.”
Nunes’s concern for Flynn was misplaced. The Russian ambassador, Sergey Kislyak, is an obvious foreign intelligence target. If Flynn was talking to him, he would almost certainly be recorded as part of “incidental collection.” Depending on who Trump transition team members were speaking with, their incidental collection might also be unsurprising.
But Nunes is broadly correct that Americans’ sensitive communications are picked up by incidental collection and that the minimization rules governing how those conversations are handled are not robust enough to protect American privacy from official and unofficial mishandling.
As I explain in my new book, American Spies: Modern Surveillance, Why You Should Care, and What to Do About It, “incidental collection” is what the intelligence community calls the monitoring of Americans that happens as a result of surveillance targeting foreigners. The phrase makes it sound like there are only a few incidents when this kind of collection happens. In other words, incidental sounds unintentional and insignificant. But incidental collection can overwhelm collection about the target. Depending on the legal authority underpinning foreign intelligence interceptions and the technology used to conduct the collection, spying on foreigners can have a huge impact on American privacy. Use of the word “incidental” obscures this truth.
Thanks to Nunes, the public is getting a little more insight into how intelligence agencies may be handling incidental collection. Many of Trump’s officials, with their international business activities, are probably well-represented in foreign intelligence intercepts. That makes them vulnerable to having their materials searched for political purposes. To prevent this kind of abuse, intelligence officials regularly point to “minimization policies” as the means to provide appropriate protections for American privacy. These policies are supposed to limit the dissemination of information to matters of foreign intelligence or, if to the FBI, criminal behavior. Further, the names and identifying information of American citizens are supposed to be blacked out, or masked, unless necessary to understand the foreign intelligence information.
In his Wednesday press conference, Nunes said that details of calls with little foreign intelligence value were passed around the intelligence community and that names of Trump transition officials were “unmasked”, or not blacked out. This is a serious allegation. Nunes, as chair of the House Intelligence Committee, is charged with overseeing minimization policies and how they are implemented. He is telling us that he finally took a look and did not like what he saw.
[More investigation is needed. After Nunes made this claim, Rep. Adam B. Schiff (D-CA), the leading Democrat on the Intelligence Committee, said that Mr. Nunes clarified that the names actually were masked in the reports, but that Mr. Nunes could still tell who they were.]
Rep. Trey Gowdy (R-S.C.), like Nunes, has been a stalwart advocate of increased surveillance powers. But as he pointed out in a House Intelligence Committee hearing on Monday, the American people aren’t going to trust the government with spying capabilities if they think their names are going to be accessible to investigators and potentially leaked to the public for political reasons.
If there’s any good news here, it is that these political developments suggest increased receptiveness on the part of lawmakers to substantive statutory surveillance reform.
Edward Snowden helped reveal to the world two controversial surveillance programs used by the NSA to collect large swaths of private communications from inside the United States. The programs, called PRISM and Upstream, are authorized by section 702 of the Foreign Intelligence Surveillance Act (FISA). On December 31, 2017, section 702 will expire unless Congress reauthorizes it. Major reform is sorely needed before section 702 should be allowed to survive.
In practice, section 702 is being used for broad surveillance programs that suck massive amounts of sensitive, detailed, and intimate personal information– a sizeable chunk of which belongs to U.S. persons – into government databases.
Obviously, Americans are surveilled when we talk to foreign targets under surveillance. Yet, this “incidental collection” is more extensive than one might think. Unlike telephone calls, Internet messages are commonly multi-user communications taking place in chat rooms and on social networks. If even one participant is foreign, communications from all the other people participating may be subject to collection. In other words, a single foreign target can justify surveillance of tens or hundreds of other people, some of which may be U.S. persons on U.S. soil.
Further, the NSA’s Upstream surveillance involves the government making a copy of most of the international Internet and telephone data flowing through particular network gateways (known as the “internet backbone”). Machines then search through that data for particular selectors (such as an email address or phone number) in the stream of internet data. If the stream of internet packets contains the selector, the Upstream program will acquire the entire “internet transaction” containing that selector. Because of the way the NSA conducts this “Upstream” collection, if a communication is “to,” “from,” or even “about” a tasked selector, the entire transaction is collected.
Once gathered, communications content and transactional information swept up under 702 is available to the CIA and the FBI. The FBI has access to raw PRISM data. It can search this information for American names at the assessment stage of investigations. That means the searches take place without probable cause, reasonable suspicion, or judicial oversight. This practice is often referred to as the “backdoor search loophole” because it enables law enforcement to obtain private information that would otherwise be unavailable without a warrant or similar probable cause finding. The FBI’s access to Upstream data is “minimized”, meaning Americans’ names are blacked out. But the NSA may reveal these American identities to the FBI if the information reasonable appears to contain evidence that a crime has been or will be committed.
Nunes’ claims go directly to the question of whether Americans should put faith in minimization procedures. With such a huge repository of data, government agents have the capacity to learn whether an individual has engaged in religious activities, political activities, activities involving the press or other media, sexual activities, and medical, psychiatric, or psychotherapeutic activities. If placed in the wrong hands, such power can be incredibly dangerous. If non-foreign intelligence is being passed around with Americans’ names unmasked, then the intelligence community is failing at protecting Americans’ security and privacy.
This is of particular concern for average people, and not just for Trump transition team officials. President Trump has said that during the course of his presidency he wants to prosecute political challengers, potentially create a database of Muslims inside the country, and rapidly deport millions of people, prioritizing not only those who have been convicted of crimes, but those who have committed acts that could be charged as crimes. Furthermore, his attorney general, Jeff Sessions, has hinted at a crackdown on marijuana use, which could be used as a means to pursue arrests.
Massive surveillance conducted in the name of foreign intelligence could be repurposed by the Trump Administration to achieve these ends. As civil libertarians have been warning for years, the U.S. government is gathering vast amounts of private information on Americans. The rules meant to protect this information from misuse are inadequate. Further, Trump could secretly change minimization policies to allow investigators to search the data looking for Muslims, marijuana smokers, and more. Existing oversight mechanisms are poorly designed to expose or correct a wayward president who has ordered illegal spying contrary to the rules.
However, this year Congress has an opportunity to take a big step forward in protecting Americans from surveillance abuses. Foreign intelligence surveillance is an important part of U.S. national security. But the practice has, in secret, metastasized to the point where it is ripe for anti-democratic abuse. Fixing this problem can start with reforming section 702 this year. In light of Representative Nunes’ disturbing observations, the specter of Trump’s domestic policies hanging over our heads, and an administration untethered by established norms or the rule of law, will Congress act?
For details on what should happen, you can read my (much longer and more detailed) report at The Century Foundation website. In short, Congress must consider amendments that would address the areas of section 702 that are most problematic, specifically the scope of collection, its retention and use, and the secrecy surrounding it. Congress should limit to national security interests the purposes for which the intelligence and law enforcement communities can conduct section 702 surveillance and use the resulting information. Congress should end the back door search loophole. Finally, Congress should declassify court opinions and internal memoranda that explain how section 702 operates, and otherwise insist on greater transparency and public oversight of section 702 operations.
Image: Thomas Lohnes/Getty