Privacy, Civil Liberties and the NSA
On July 2, the Privacy and Civil Liberties Oversight Board released a detailed analysis of U.S. surveillance programs. The headline-grabbing conclusion of the research is that a set of National Security Agency programs that collect vast amounts of Internet communications from U.S. companies has proved to be an effective intelligence tool, but that some aspects bordered on unconstitutionality. The board said the NSA programs need better safeguards for protecting Americans' communications scooped up in the process. One of the goals of the board in writing the report has been to increase transparency about U.S. surveillance. In addition to this effort to explain the program, the board has set forth a series of policy recommendations designed to ensure that the program appropriately balances national security concerns with privacy and civil liberties. As you pack up for July 4 weekend, we thought we’d take a closer look at what the Privacy and Civil Liberties Oversight Board is and what it found out about the NSA.
Following the attacks of September 11, 2001, Congress and President George W. Bush established the National Commission on Terrorist Attacks on the United States (popularly known as the 9/11 Commission), a bipartisan panel charged with investigating the events of 9/11 and offering recommendations designed to guard against future attacks. As the Commission acknowledged, many of its recommendations “call[ed] for the government to increase its presence in our lives -- for example, by creating standards for the issuance of forms of identification, by better securing our borders, by sharing information gathered by many different agencies.” (1) However, the 9/11 Commission also noted that “[t]he choice between security and liberty is a false choice, as nothing is more likely to endanger America’s liberties than the success of a terrorist attack at home.” Consequently, the Commission also recommended the creation of “a board within the Executive Branch to oversee . . . the commitment the government makes to defend our civil liberties.” In order to implement the 9/11 Commission’s numerous recommendations, Congress passed and President Bush -- on December 17, 2004 -- signed the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) which authorized the creation of the Privacy and Civil Liberties Oversight Board.
IRTPA required the Privacy and Civil Liberties Oversight Board to “ensure that concerns with respect to privacy and civil liberties are appropriately considered in the implementation of laws, regulations, and Executive Branch policies related to efforts to protect the Nation against terrorism.” In carrying out this mandate, the Board had two primary tasks. First, it must “advise the President and the head of any department or agency of the Executive Branch to ensure that privacy and civil liberties are appropriately considered in the development and implementation” of “laws, regulations, and Executive Branch policies related to efforts to protect the Nation from terrorism.” Second, it must exercise oversight by “continually review[ing] regulations, Executive Branch policies, and procedures . . . and other actions by the Executive Branch related to efforts to protect the Nation from terrorism to ensure that privacy and civil liberties are protected.” The statute expressly requires the Board to advise and oversee the creation and implementation of the Information Sharing Environment (ISE). IRTPA did not create an independent watchdog entity in the nature of an inspector general. Rather, the statute created a board that operates within the Executive Office of the President and ultimately reports to the President.
On June 10, 2005, President Bush nominated Carol E. Dinkins and Alan Charles Raul to be Chairman and Vice Chairman, respectively, of the Privacy and Civil Liberties Oversight Board. On February 17, 2006, the Senate confirmed Chairman Dinkins and Vice Chairman Raul. Five members of the board were sworn into office and held their first meeting on March 14, 2006.
But the original, underfunded board was criticized from the get-go as little more than an appendage of the presidency. Its first report to Congress was heavily edited by administration officials, inspiring Democrat Lanny Davis to quit in protest.
In January 2007, Congress decided to reform the board by reconstituting it as an independent agency, relocating it outside the White House. Lawmakers thought the board needed subpoena power to provide its advice and that each member, not just the Chairman and Vice Chairman, should be subject to Senate confirmation. The legislation also expanded the board's mandate to review the actions of Congress as well as the White House. President Bush nominated new members to continue operations under the revised mandate, but the Senate did not even hold hearings on these nominations or on the work of the board generally. Not to put too fine a point on it, but President Bush nominated three board members in early 2008. Congressional Democrats proposed two names; Bush accepted only one, and in retaliation the Senate refused to move on any of Bush's nominees.
Also in 2008, Congress passed and President Bush signed the FISA Amendments Act of 2008 which made changes to the Foreign Intelligence Surveillance Act of 1978 (“FISA”). Among those changes was the addition of a new provision, Section 702 of FISA, permitting the Attorney General and the Director of National Intelligence to jointly authorize surveillance conducted within the United States but targeting only non-U.S. persons reasonably believed to be located outside the United States. They can also compel the assistance of electronic communication service providers, in order to acquire foreign intelligence information. Although U.S. persons may not be targeted under Section 702, communications of or concerning U.S. persons may be acquired in a variety of ways. The communications of U.S. persons may also be collected by mistake, as when a U.S. person is erroneously targeted or in the event of a technological malfunction, resulting in “inadvertent” collection. In such cases, however, the applicable rules generally require the communications to be destroyed.
Section 702 requires the government to develop targeting and “minimization” procedures that must satisfy certain criteria. As part of the FISA court’s review and approval of the government’s annual certifications, the court must approve these procedures and determine they meet the necessary standards. The targeting procedures govern how the Executive Branch determines a particular person is reasonably believed to be a non-U.S. person located outside the United States, and that targeting this person will lead to the acquisition of foreign intelligence information. The minimization procedures cover the acquisition, retention, use, and dissemination of any non–publicly available U.S. person information acquired through the Section 702 program.
Once foreign intelligence acquisition has been authorized under Section 702, the government sends written directives to electronic communication service providers compelling their assistance in the acquisition of communications. The government identifies or “tasks” certain “selectors,” such as telephone numbers or email addresses, that are associated with targeted persons, and it sends these selectors to electronic communications service providers to begin acquisition. There are two types of Section 702 acquisition: what has been referred to as “PRISM” collection and “upstream” collection.
- In PRISM collection, the government sends a selector, such as an email address, to a United States-based electronic communications service provider, such as an Internet Service Provider (“ISP”), and the provider is compelled to give the communications sent to or from that selector to the government. PRISM collection does not include the acquisition of telephone calls.
- Upstream collection differs from PRISM collection in several respects. First, the acquisition occurs with the compelled assistance of providers that control the telecommunications “backbone” over which telephone and Internet communications transit, rather than with the compelled assistance of ISPs or similar companies. Upstream collection also includes telephone calls in addition to Internet communications. Data from upstream collection is received only by the NSA: neither the CIA nor the FBI has access to unminimized upstream data. Finally, the upstream collection of Internet communications includes two features that are not present in PRISM collection: the acquisition of so-called “about” communications and the acquisition of so-called “multiple communications transactions” (“MCTs”).
The work of the board lapsed after January 30, 2008.
On December 15, 2011, President Barack Obama nominated David Medine to be Chairman of the Privacy and Civil Liberties Oversight Board and Rachel L. Brand and Patricia M. Wald to be members. The nomination was held up by Republicans in the Senate for over a year. Among other things, Sen. Lindsey Graham (R-SC) faulted Medine for refusing to say whether or not the country is engaged in a "war on terrorism." Without a Chairman, the board couldn't hire staff and had no full-time members. Medine was finally confirmed on May 27, 2013
In June 2013, of course, we first learned of Edward Snowden, a 29-year-old former technical assistant for the CIA and employee of the defense contractor Booz Allen Hamilton. He worked at the NSA for four years as an employee of various outside contractors, including Booz Allen and Dell. Over the last year, documents provided by Snowden to a number of media outlets have revealed the extent of NSA surveillance programs.
The Privacy and Civil Liberties Oversight Board (PCLOB) began reviewing implementation of the FISA Amendments Act early in 2013, shortly after the board began operations as an independent agency. The PCLOB conducted an in-depth review of the program now operated under Section 702, in pursuit of the board’s mission to review Executive Branch actions taken to protect the nation from terrorism in order to ensure “that the need for such actions is balanced with the need to protect privacy and civil liberties.”
- The board concludes that PRISM collection is clearly authorized by the statute and that, with respect to the “about” collection, which occurs in the upstream component of the program, the statute can permissibly be interpreted as allowing such collection as it is currently implemented.
- The board also concludes that the core of the Section 702 program -- acquiring the communications of specifically targeted foreign persons who are located outside the United States, upon a belief that those persons are likely to communicate foreign intelligence, using specific communications identifiers, subject to FISA court–approved targeting rules and multiple layers of oversight -- fits within the “totality of the circumstances” standard for reasonableness under the Fourth Amendment, as that standard has been defined by the courts to date.
- Outside of this fundamental core, certain aspects of the Section 702 program push the program close to the line of constitutional reasonableness. Such aspects include the unknown and potentially large scope of the incidental collection of U.S. persons’ communications, the use of “about” collection to acquire Internet communications that are neither to nor from the target of surveillance, and the use of queries to search for the communications of specific U.S. persons within the information that has been collected.
- With these concerns in mind, the PCLOB report offers a set of policy proposals designed to push the program more comfortably into the sphere of reasonableness, ensuring that the program remains tied to its constitutionally legitimate core.
Targeting and Tasking
The NSA’s targeting procedures should be revised to: (a) specify criteria for determining the expected foreign intelligence value of a particular target; and (b) require a written explanation of the basis for that determination sufficient to demonstrate that the targeting of each selector is likely to return foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. The NSA should implement these revised targeting procedures through revised guidance and training for analysts, specifying the criteria for the foreign intelligence determination and the kind of written explanation needed to support it. We expect that the FISA court’s review of these targeting procedures in the course of the court’s periodic review of Section 702 certifications will include an assessment of whether the revised procedures provide adequate guidance to ensure that targeting decisions are reasonably designed to acquire foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. Upon revision of the NSA’s targeting procedures, internal agency reviews, as well as compliance audits performed by the ODNI and DOJ, should include an assessment of compliance with the foreign intelligence purpose requirement comparable to the review currently conducted of compliance with the requirement that targets are reasonably believed to be non-U.S. persons located outside the United States.
U.S. Person Queries
The FBI’s minimization procedures should be updated to more clearly reflect the actual practice for conducting U.S. person queries, including the frequency with which Section 702 data may be searched when making routine queries as part of FBI assessments and investigations. Further, some additional limits should be placed on the FBI’s use and dissemination of Section 702 data in connection with non–foreign intelligence criminal matters.
The NSA and CIA minimization procedures should permit the agencies to query collected Section 702 data for foreign intelligence purposes using U.S. person identifiers only if the query is based upon a statement of facts showing that it is reasonably likely to return foreign intelligence information as defined in FISA. The NSA and CIA should develop written guidance for agents and analysts as to what information and documentation is needed to meet this standard, including specific examples.
FISA Court Role
To assist in the FISA court’s consideration of the government’s periodic Section 702 certification applications, the government should submit with those applications a random sample of tasking sheets and a random sample of the NSA’s and CIA’s U.S. person query terms, with supporting documentation. The sample size and methodology should be approved by the FISA court.
As part of the periodic certification process, the government should incorporate into its submission to the FISA court the rules for operation of the Section 702 program that have not already been included in certification orders by the FISA court, and that at present are contained in separate orders and opinions, affidavits, compliance and other letters, hearing transcripts, and mandatory reports filed by the government. To the extent that the FISA court agrees that these rules govern the operation of the Section 702 program, the FISA court should expressly incorporate them into its order approving Section 702 certifications.
Upstream and “About” Collection
To build on current efforts to filter upstream communications to avoid collection of purely domestic communications, the NSA and DOJ, in consultation with affected telecommunications service providers, and as appropriate, with independent experts, should periodically assess whether filtering techniques applied in upstream collection utilize the best technology consistent with program needs to ensure government acquisition of only communications that are authorized for collection and that prevent the inadvertent collection of domestic communications.
The NSA periodically should review the types of communications acquired through “about” collection under Section 702, and study the extent to which it would be technically feasible to limit, as appropriate, the types of “about” collection.
Accountability and Transparency
To the maximum extent consistent with national security, the government should create and release, with minimal redactions, declassified versions of the FBI’s and CIA’s Section 702 minimization procedures, as well as the NSA’s current minimization procedures.
The government should implement five measures to provide insight about the extent to which the NSA acquires and utilizes the communications involving U.S. persons and people located in the United States under the Section 702 program. Specifically, the NSA should implement processes to annually count the following (These figures should be reported to Congress in the NSA Director’s annual report and should be released publicly to the extent consistent with national security.):
- the number of telephone communications acquired in which one caller is located in the United States;
- the number of Internet communications acquired through upstream collection that originate or terminate in the United States;
- the number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work;
- the number of queries performed that employ U.S. person identifiers, specifically distinguishing the number of such queries that include names, titles, or other identifiers potentially associated with individuals; and
- the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals.
The government should develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs.
Finally, the board recognizes that privacy is a human right that has been recognized in the International Covenant on Civil and Political Rights, an international treaty ratified by the U.S. Senate, and that the treatment of non-U.S. persons in U.S. surveillance programs raises important but difficult legal and policy questions. Many of the generally applicable protections that already exist under U.S. surveillance laws apply to U.S. and non-U.S. persons alike. President Obama’s recent initiative under Presidential Policy Directive 28 on Signals Intelligence (“PPD-28”) will further address the extent to which non-U.S. persons should be afforded the same protections as U.S. persons under U.S. surveillance laws. Because PPD-28 invites the PCLOB to be involved in its implementation, the Board has concluded that it can make its most productive contribution in assessing these issues in the context of the PPD-28 review process.
As noted above, the timing of the Privacy and Civil Liberties Oversight Board report is not lost on us. July 2 also marked the 50th anniversary of the Civil Rights Act, an achievement President Obama noted as a “commitment to building a freer, fairer, greater society.” And, of course, tomorrow we celebrate the 238th anniversary of the signing of the Declaration of Independence and the beginning of a great experiment, American democracy. That celebration should include a renewed commitment to ensure our Nation lives up to its promise and creed -- that all are created equal, that they are endowed with certain unalienable rights -- Life, Liberty, and the pursuit of Happiness, (dare we add privacy?) -- that to secure these rights, governments are instituted, deriving their just powers from the consent of the governed.
1. The 9/11 Commission Report (2004), available at http://www.9-11commission.gov/report/911Report.pdf