Last week, we argued that the public discussion surrounding two of the government’s most controversial mass surveillance programs – PRISM and Upstream – has not sufficiently acknowledged the broad scope of collection under these programs, which take place under section 702 of the Foreign Intelligence Surveillance Act (FISA). In short, hiding behind the counterterrorism justifications for section 702 is a broad surveillance program that sucks up massive amounts of irrelevant private data.
Today we show why, even though digital surveillance conducted under section 702 is directed overseas, such efforts collect substantial amounts of Americans’ private data. Next week we show how that data can be used for multiple purposes that have nothing to do with foreign intelligence or national security, including criminal investigations.
Our efforts come as lawmakers begin to debate the merits of the PRISM and Upstream surveillance programs ahead of section 702’s December 31, 2017 sunset date. We hope to clear misperceptions about the nature of a surveillance regime that is inconsistent with both the US Constitution’s “reasonableness” requirement as well as international human rights norms that require surveillance to be necessary and proportionate.
Section 702 Programs Gather a Substantial Amount of US Persons’ Communications
Section 702 proponents emphasize the FISA statute’s requirement that surveillance under the 702 provision only target non-US persons located abroad. They then push the seductive (but false) implication that this requirement means section 702 does not materially affect Americans. For example, during the 2012 FISA reauthorization debate, former House Intelligence Committee Chairman Mike Rogers (R-MI) acknowledged that the law might permit surveillance of Americans, but that this would happen “only very rarely.” In 2013, shortly after newspapers revealed details of the PRISM program, Director of National Intelligence James R. Clapper issued a statement reassuring the public that section 702 cannot be used to intentionally target any US citizen or anyone located within the United States. Director Clapper also emphasized that agencies conducting section 702 surveillance must follow procedures meant to minimize the acquisition, retention, and dissemination of incidentally acquired information about US persons.
Nevertheless, a recently declassified FISA Court (FISC) opinion from November 2015 confirmed what many people already suspected – section 702 actually sweeps up “substantial quantities” of information concerning US persons. In other words, the surveillance program subjects Americans to extensive, warrantless surveillance. This broad collection of communications may be politically palatable when Americans are talking to terrorists — the implication is that this “incidental” collection is minor and necessary for public safety. However, as explained above, foreign targets are not necessarily terrorism suspects, or wrongdoers of any kind. Section 702 contemplates surveillance targeting bureaucrats, scientists, aid workers – anyone of “foreign intelligence” interest. Because the sanctioned surveillance topics are so broad, a vast number of people, including Americans, routinely have their communications swept up with no national security benefit attached.
First, Americans are surveilled when they talk to foreign targets. The obvious case is international communications, where one of the parties is a target and the other is an American. However, this “incidental collection” is more extensive than one might think because of the very nature of the internet and the many different ways information is exchanged throughout it. For example, internet messages are commonly multi-user communications taking place in chat rooms and on social networks. If even one participant is foreign, communications from all the other people participating may be subject to section 702 collection. In other words, a single target can justify surveillance of tens or hundreds of other people, some of which may be US persons on US soil.
Second, Americans’ communications are collected as part of section 702’s Upstream collection program. Under the program, the government “tasks” a given selector (such as an email address or phone number) in the stream of internet data flowing through particular network gateways (known as the “internet backbone”). If the stream of internet packets contains the selector, the Upstream program will acquire the entire “internet transaction” containing that selector. Some transactions only include one communication (Single Communications Transactions – SCT’s), while others contain multiple discreet communications (Multiple Communications Transactions – MCT’s). Because of the way the NSA conducts Upstream collection, if any communication within an SCT or MCT is “to,” “from,” or even “about” a tasked selector, the entire transaction is collected. The collection of MCT’s further removes the nexus between the communicants and the intended target because any communication that is embedded within a transaction that happens to include a communication that so much as mentions the targeted selector can get swept up. This includes wholly domestic communications.
Read the full post at Just Security.