Reforming 702: Does NSA Minimize Cloud Files?

Yesterday, I wrote generally about the problems with section 702 of the FISA Amendments Act (FAA). Today I want to focus on categories of information—including content—that NSA collects under section 702 but maybe never minimizes—meaning one of the few safeguards for U.S. person privacy is non-existent.

In short, since the thirteen-page 702 minimization procedures only apply to communications, and since today’s NSA probably excludes unshared cloud-stored data from the definition of communications, it’s possible no minimization rules apply to protect American privacy.

MINIMIZATION GENERALLY

Intelligence officials regularly tell Americans that we have nothing to fear from dragnet surveillance because after-the-fact minimization procedures are in place to protect our privacy from overbroad collection. For example, Office of the Director of National Intelligence (ODNI) General Counsel Robert Litt said during a July 2013 speech, “Minimization procedures can and do differ depending on the purpose of the surveillance and the technique used to implement it. These tailored minimization procedures are an important way in which we provide appropriate protections for privacy”. In responding to reports that the NSA monitors roughly 75% of U.S. Internet traffic, an NSA spokesperson reassured the public that if American communications are “incidentally collected during NSA’s lawful signals intelligence activities,” the agency follows “minimization procedures that are approved by the U.S. attorney general and designed to protect the privacy of United States persons.”

The section 702 minimization procedures are now declassified and publicly available.  As you’ll see, they deal almost exclusively with “communications”, and not with other kinds of information.

PRISM COLLECTION INCLUDES INFORMATION NSA MAY NOT CONSIDER A COMMUNICATION

I want to highlight certain categories of information NSA collections under 702, but about which not enough has previously been said.  In addition to email, chats and other Internet communications, slides published by the Washington Post show that via PRISM, the NSA gets real time notification of email and instant messaging events.  These include logins, logouts and sent messages.  The NSA also obtains basic subscriber information. It also gets videos, photos, stored data, and file transfers. The slides do not specifically mention it, but NSA probably also gets task lists, contacts, buddy lists, and address books. Presumably, the NSA collects the same kind of data upstream.

The legal question—one which the PCLOB and Congress must ask—is whether NSA treats this information as communications. Because if it doesn’t, then it doesn’t apply its vaunted privacy protecting minimization rules to this data.

According to David S. Kris and J. Douglas Wilson, authors of National Security Investigations & Prosecutions [§7.5], the bible on national security investigations law:

A “communication” as the term is used in FISA’s definition of electronic surveillance must have a “sender” and one or more “recipients”. Although the statute does not make clear whether the sender and recipient of a communication can be the same person—e.g. when a person sends n e-mail from his or her work e-mail account to his or her personal e-mail account—nothing in the text or legislative history of FISA overly conflicts with treating the same person as both sender and recipient of a communication.  Similar issues may arise with respect to diaries, task lists, oral statements of persons who talk to themselves, and certain kinds of arguably “symbolic” speech.  In addition, it may be worth considering whether certain forms of Internet activity—e.g. electronic transmissions between an individual user’s personal computer and the servers of his ISP—are themselves “communications” even where there is no human being on the received end of the transmission at the ISP.

You bet it’s worth considering.  Because if NSA isn’t treating file transfers, photos, videos, other cloud stored data, contact lists, or any other unshared Internet data as “communications”, then it collects but does not minimize Americans’ private information. Today’s NSA is incredibly aggressive in interpreting the law to allow it maximum surveillance powers. If Kris and Wilson say a legal outcome is uncertain, there’s every reason to believe NSA has taken the most surveillance-friendly stance (and that the FISA court has blessed it). That means “important” minimization procedures are doing nothing to protect this private data from NSA use, abuse, or sharing with law enforcement or even foreign governments.

SECTION 702 AND MINIMIZATION OF INFORMATION  

When I say that information collected under section 702 is not minimized, that is because the minimization procedures deal almost exclusively with “communications”. Communications minimization procedures have provisions for deletion or anonymization of such messages, which we will look at in the future.

But there are only a few sections of the 702 minimization procedures that address information that is not a communication.  Section 3(a) says that 702 acquisition:

…will be conducted in a manner designed, to the greatest extent reasonably feasible, to minimize the acquisition of information not relevant to the authorized purpose of the investigation (i.e. foreign intelligence).

Section 3(b)(1) says:

Personnel will exercise reasonable judgment in determine whether information acquired must be minimized and will destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g. the communication does not contain foreign intelligence information) or, as not containing evidence of a crime which may be disseminated under these procedures.

Section 3(c)(1) says:

…other discrete forms of information (including that reduced to graphic or “hard copy” form such as facsimile, telex, computer data, or equipment emanations) that do not meet the retention standards set forth in these procedures and that are known to contain communications of or concerning United States persons will be destroyed upon recognition, and may be retained no longer than five years…

And finally, Section 8 – Collaboration with Foreign Government says:

(a) Procedures for the dissemination of evaluated and minimized information. Pursuant to Section 1.7(c)(8) of Executive Order 1233, as amended, NSA conducts foreign cryptologic liaison relationships with certain foreign governments.  Information acquired pursuant to section 702 of the Act may be disseminated to a foreign government. Except as provided in subsection 8(b) of these procedures [technical or linguistic assistance], any dissemination to a foreign government of information of or concerning a United States person that is acquired pursuant to section 702 may only be done in a manner consistent with subsections 6(b) [Foreign Communications of or Concerning United States Persons] and 7 [Other Foreign Communications] of these NSA minimization procedures.

In sum, NSA should make reasonable efforts to try to get only foreign intelligence information, and if it overcollects and scoops in irrelevant stuff, or if the collected information is of or concerning a U.S. person, agents are “to exercise reasonable judgment in determine whether information acquired must be minimized”. Otherwise, they can keep it, they can use it, they can share it. They don’t have to anonymize it. Nothing, nada. No one need follow any of the thirteen pages of minimization procedures the NSA applies to communications. As the doge says: Wow.

Questions For The NSA

Congress and the public need to know. What is the legal definition of “communications” for the purpose of FISA minimization? Are electronic transmissions between an individual user’s personal computer and the servers of his provider “communications”? What happens to my cloud backups? What about stored but not shared files, photos and videos? Does NSA treat real time notifications as communications? How about subscriber information? When does it share these with law enforcement, or foreign governments?

The minimization procedures’ disparate treatment for communications and information raises other red flags.  Why does the NSA and FISA court take pains with communications, but not with other kinds of information? Why don’t the minimization procedures clearly protect photos, videos, stored files and other “content” that may not be a communication? We know that the FISA court does not consider the Fourth Amendment to apply to metadata at all. Has the FISC issued still-classified opinions that say warrantless seizure of cloud stored files is constitutional, regardless of what they are, so long as we aren’t talking to another person? Is that why the NSA does not have minimization rules for information?

So far, the public discussion about section 702 has turned a blind eye to the possibility that NSA collects but does not minimize information traditionally considered content under 702.  That has to stop. The PCLOB and Congress must get to the bottom of this. Without this information, the public cannot have a meaningful discussion about section 702 and privacy.

  

About the Author(s)

Jennifer Granick

Surveillance and Cybersecurity Counsel at the ACLU's Project on Speech, Privacy and Technology Follow her on Twitter (@granick).