We Know a Lot More About U.S. Spying Since Section 702’s Last Reauthorization

As Congress finally starts to debate whether to reauthorize Section 702 of the FISA Amendments Act before it expires at the end of this year, it’s important to remember that we know a lot more about the government’s troubling practices since the law was last reauthorized in 2012.

As a reminder, FISA is the statute that regulates foreign intelligence surveillance and for decades required individualized court orders based on probable cause to collect information about people here in the U.S. Seeking to authorize President George W Bush’s warrantless wiretapping program, Congress passed Section 702 to allow the government to target foreigners abroad without any judicial determination that the person was a national security threat– knowing that the collection would happen here in the US and that Americans could be picked up in the process.  Procedurally, the government obtains an annual 702 order from the FISA Court after negotiating the privacy and targeting rules that will apply to the program. The government is then allowed to choose its own targets for “foreign intelligence” spying, which not only includes terrorists, spies, and foreign leaders, but for people relevant to the catch all categories of defense and foreign affairs. It collects both metadata and the content of communications, and compels U.S. tech companies, phone companies and internet service providers to turn over the data.  Once collected, it is saved for years and used not only in intelligence investigations, but criminal prosecutions. It has not been substantively amended since its original passage in 2008.

Calls to extend the program without any amendment seem to ignore the last four years and all the new information available to members of Congress due to Edward Snowden’s 2013 leaks and the Obama administration’s subsequent transparency efforts. Lawmakers should be very concerned about its scope, lack of privacy protections, and near-constant compliance problems. Legislators who supported the program before should feel free to change their minds.

Here’s a quick refresher on all the revelations that should factor into the Section 702 reauthorization debate: 

1. Section 702 has been used to collect wholly domestic communications. FISA court opinions confirm that while “targeting” foreigners abroad for surveillance, the National Security Agency knowingly collects communications that are both to and from people in the United States. According to the Privacy and Civil Liberties Oversight Board, this happens for two reasons. First, the government searches communications traversing the internet backbone looking for references “about” its targets, without regard for the nationality or location of the communicants. Second, the NSA seizes whole groups of communications at one time due to technological restraints, picking up U.S.-U.S. communications in the process.

While these “about” searches  have been temporarily suspended, Sen. Ron Wyden’s (D-OR) recent letters to the administration imply that some sort of larger domestic spying issue is still at play. As a member of the Intelligence Committee, the Senator has been briefed on Section 702 programs and is refusing to accept vague and noncommittal testimony about whether the government is collecting wholly domestic information under the program.

2. Section 702 surveillance collects information completely unrelated to its targets. A July 2014 review of a sample of documents provided to the Washington Post found that 9 out of 10 account holders had nothing to do with the foreign target, and included sensitive information like medical records and family photos. Despite being deemed “useless” by analysts, the “incidental” information was retained anyway – and nearly half the files referenced U.S. persons. Even though those references were overwhelmingly masked in documents that were later distributed, it’s clear that because in addition to targeting email communications, it targeted servers, chatrooms, and other places that reflect the behavior of many innocent people, this “targeted” program was collecting a windfall of irrelevant data.

3. Section 702 data is used to prosecute Americans in unrelated criminal prosecutions without providing notice to defendants. This issue has been thoroughly explained by others, but in short, the Justice Department has created new rules governing when someone “incidentally” surveilled under Section 702 must be notified about the origin of the evidence used against them in court. The legal memo explaining the notice process remains secret, but we know that only a handful of defendants have received notice over the last 9 years, and likely under the interpretation that if the information is used as a “tip” to recollect the information under other tools, notice of FISA origination is not necessary. This is consistent with reports that intelligence is regularly funneled to the Drug Enforcement Administration (DEA), which then builds parallel stories of how its agents collected the evidence against the defendant to obscure its true source.

The administration notes that internal policy restricts introduction of 702 evidence in court to “serious” cases, but the list of triggering offenses uses vague terms like “substantial bodily harm,” “cybersecurity,” or “transnational crime.”  Besides, as discussed above, 702 data may not be directly introduced into evidence, but laundered through other authorities that can hide the true origin of the information. By using this “parallel construction” to rediscover the same information with criminal investigative tools, the list of serious crimes becomes irrelevant because the 702 information itself never gets to court.

4. The intelligence agencies have a history of failing to follow court-ordered privacy practices including rules developed in 2011 that the FISA Court deemed necessary to keep 702 from being illegal and unconstitutional. According to documents dating as far back as 2009, the agencies have repeatedly failed to comply with court ordered privacy procedures. For example, when reviewing the call records program under section 215 of the Patriot Act, the FISA Court found that the government filed “repeated inaccurate statements” with the court and violated the privacy rules “frequently and systematically.” Specific to Section 702, documents released this spring found that 702’s most controversial practice – filtering the internet backbone for references, to, from or about a target, and then keeping the irrelevant and domestic data that comes back – went off the rails, with the NSA failing to follow the rules for an undisclosed period of time. The NSA ended up stopping this controversial practice that could not be made compliant with the privacy rules, but it has reserved the right to restart those surveillance activities at a later date. This violation should be taken much more seriously than it has been.

5. The government searches the 702 database for American information tens of thousands of times a year. New reports from the Office of the Director of National Intelligence (ODNI) confirm that NSA and CIA officials searched through data with known American identifiers like emails and phone numbers more than 35,000 times last year. This is just a partial count that includes all NSA searches of content and metadata and CIA searches of content only.  This number does not reflect searches run by the CIA through metadata (which will be reported next year) nor searches conducted by the FBI, which has received a statutory exemption from reporting this statistic altogether. It also does not account for the National Counterterrorism Center, which just procured access to the raw 702 data this spring.  Furthermore, the FBI is clear in its most recent privacy rules: these searches do not have to pertain to an open investigation, an assessment, or other formal and regulated inquiry at all. As described in the Attorney General Guidelines, “assessments” are not predicated investigations, but instead permit the collection of information for situational awareness, understanding potential victims, developing informants and more. That there need not even need to be an assessment open means the FBI could be searching for Americans on essentially a hunch.

6. Privacy rules allow the government to keep and use almost everything it collects. The court-approved privacy rules for Section 702 broadly allow the government to collect and keep data, including both records and contents of communications. Even if the government knows that information pertains to an American or someone in the US, it can still keep it for years and use it for purposes that have nothing to do with counterterrorism efforts. But more broadly, if the government doesn’t know a person’s nationality, location, or even if they are relevant to foreign intelligence at all—the default is to keep it and process it later. Essentially, intelligence agencies operate under the concept of: snatch up as much information as possible, ferret it away, and search it later – and only delete it if it is affirmatively found to fall under a protected category. This is perhaps how so much irrelevant and U.S. data is collected, as discussed above.

7. The administration refuses to estimate how many Americans are in the 702 database, despite acknowledging the ability to do so. For more than a year, former ODNI James Clapper said his office could and would estimate the number of Americans who were “incidentally” surveilled under the program. The office said it would provide Congress a good faith estimate subject to caveats or perhaps reflect only a sampling, but it could be done and the government needed only to pick one of several methods and do it. But earlier this spring, the ODNI under new Director Dan Coats reversed course. As CDT and other groups have documented elsewhere, counting the number of Americans in the database is not a privacy violation in and of itself and is crucial to understanding the scope of collection under this program.

As one can see, Congress can make a much more informed decision this time around, and this new information about invasive practices provides a roadmap for reform. With the sunset only five months away, it’s time for Congress to put pen to paper and deal with these new revelations.

Image: Trevor Paglen

 

About the Author(s)

Michelle Richardson

Deputy Director of the Center for Democracy and Technology’s Freedom, Security, and Technology Project