Stanford CIS

We All Go Down Together: NSA Programs Overseas Violate Americans’ Privacy, Yet Escape FISC, Congressional Oversight

By Jennifer Granick on

Cross-posted from Just Security.

Ongoing revelations show that significant NSA surveillance activities take place outside of either Foreign Intelligence Surveillance Court (FISC) or congressional oversight, even though these policies directly impact Americans’ privacy.  These activities should, at the very least, be subject to congressional review, since American interests are being adversely impacted by them.

This past Sunday, the Washington Post reported that the National Security Agency gathers hundreds of millions of address books and contact lists from people around the world, including some Americans. The collection occurs in foreign countries, such as when Americans; data crosses international borders. FISA does not regulate this activity, and neither the Foreign Intelligence Surveillance Court (FISC) nor Congress oversees this program.

Also, in early September, The Guardian, New York Times, and ProPublica reported that the NSA has found ways to circumvent encryption protocols, which protect sensitive data like trade secrets, banking information and medical records as they travel over the Internet. These efforts include having secretly and successfully subverted the National Institute of Technology Standards (NIST) process to ensure adoption of a weakened encryption standard. NIST is is the federal technology agency that works with industry to develop and apply technology, measurements, and standards. NIST standards are implemented by commercial entities the world over.  A flawed NIST standard leaves products vulnerable to infiltration from both the NSA and from bad actors who also discover the problem. The FISC does not approve or authorize NSA’s efforts to circumvent encryption. Nor does it appear that Congress exercises oversight of these programs.

The legal reasons for evading FISC and Congressional oversight for each of these practices varies, though the consequence is the same: the NSA is unaccountable to any authority outside the Executive Branch for these — and certainly other — practices.

The NSA appears to collect address books and contact lists at overseas locations under Executive Order 12333, which the President issues under his Article II powers, and not under FISA. The WaPo’s sources give two related but distinct reasons to conclude that the program is not restricted by FISA and is outside of the FISC oversight.  The first is that the collection takes place overseas.  The second is that when collection takes place overseas, “the assumption is you’re not a U.S. person”, i.e. an American or green card holder.

FISA’s definitions of “electronic surveillance” depend on the type of information acquired and whether acquisition occurs in the U.S. or targets/collects information on U.S. persons or any persons located in the U.S.  According to the slides published by the Post, the contact list collection takes place at various communications nodes outside the U.S.  According to the statute, if the information is not “content” and collection takes place abroad, FISA doesn’t apply. 50 USC 1801(f)(4).

If all you care about is U.S. persons’ privacy, then Congress’ decision in 1978 to limit this definition of electronic surveillance to in-country collection might have once made sense.  But today, it does not. Because of the nature of the global internet, data crosses international boundaries even when its American owners stay at home. Large technology companies like Google and Facebook maintain data centers around the world to balance loads on their servers and work around outages. That means that vast amounts of Americans’ data will travel abroad and be collected there. Nor are there legal disincentives for such collection. The statute would even allow the NSA to intentionally target Americans for this kind of collection, so long as it happens overseas.

However, address books and contact lists are probably “content” under FISA, and therefore different rules apply here.  The term is specifically defined under FISA:

“Contents”, when used with respect to a communication, includes any information concerning the identity of the parties to such communication or the existence, substance, purport, or meaning of that communication.

Its worth comparing this definition to that of “content” in the criminal context under the Electronic Communications Privacy Act (ECPA):

“Contents”, when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.

The FISA definition is broader than ECPA in that it includes (1) “any information concerning the identity of the parties to such communication” and (2) any information concerning the existence of that communication. Address books regularly identify their owner, either explicitly or through deduction.  For example, my Apple Contacts list indicates which card belongs to me.  Additionally, the Post’s examples of the ways the NSA is using the contact list information show it at least sometimes knows the owner of the lists.

If this is correct, then the NSA must comply with FISA if the information is sent by or intended to be received by a particular, known U.S. person who is intentionally targeted. This is why the WaPo’s source’s second comment is important.  Overseas collection may result in massive amounts of surveillance on Americans, but the NSA could believe that these common and voluminous mistakes are neither “known” nor “intentional” and therefore not seek to comply with FISA.

Another NSA argument might be that the contact lists are collected via “vacuum cleaner” surveillance, and no person is targeted.  Since no one is targeted, even if Americans’ information is routinely sucked in, the collection falls outside the scope of “electronic surveillance” as FISA defines it. Again, if all you care about is U.S. persons’ privacy, then Congress’ decision to limit regulation of “electronic surveillance” to situations Americans are targeted might make sense if NSA collection consisted solely of traditional particularized surveillance. But once you shift to wholesale acquisition, nothing is targeted, and that limitation stops protecting Americans and instead serves no purpose.

I don’t mean to suggest that, in 1978, Congress intended to leave foreign collection unregulated. FISA’s legislative history suggests Congress believed such surveillance affects the privacy interests of Americans and deserved to be limited, but that Congress did not want to hold up the passage of FISA to resolve those more difficult issues.  For a variety of reasons, Congress never really got back to the problem. Initially, the price to be paid in American privacy may not have been high, but that has changed, and the bill for neglecting foreign intelligence collection is now coming due.

Our current information regarding other NSA bulk collection practices suggests that broad collection techniques will inevitably “incidentally” acquire Americans’ information, that the information will not be limited to information in address books and buddy lists, and that at least some of this data, everyone will agree is content.  The NSA’s view appears to be that even pervasive unintentional collection that would otherwise be regulated or prohibited does not affect the legality of its programs.  For example, under Section 702, NSA official guidelines say that if the agency collects an American’s records while targeting a foreigner, even if the accidental collection is pervasive, it “does not constitute a . . . violation” and “does not have to be reported” to the NSA inspector general for inclusion in quarterly reports to Congress.

NSA conducts this contact list surveillance outside of the FISA regime and without FISC oversight.  The American people deserve to know more about this collection program, how many Americans are affected, and why the NSA believes it is legal.

Congressional oversight of these kinds of programs is even more anemic than usual, and may be non-existent. The President amends E.O. 12333 without input from Congress.  The NSA was not reporting to the Intelligence Committees abuses that take place under E.O. 12333 authorized programs.  For example, in the October 2, 2013 FISA oversight hearing chaired by Sen. Patrick Leahy (D-VT), Director of National Intelligence James Clapper told Senator Amy Klobuchar that the Administration’s false assurances there had been no abuses of the Section 215 phone records collection were not false because the abuses identified in an internal audit had occurred under E.O. 12333 and need not be reported.  (after 1:25, hat tip to Marcy Wheeler). In late September, Intel Committee Chair Feinstein acknowledged that, E.O. 12333 programs receive far less congressional oversight, and less protections for U.S. person privacy. The Senator ordered that the NSA report further on its intelligence collection outside of FISA. Specifically regarding the contact list collection, the Washington Post quotes a senior Intelligence Committee staffer:

“In general, the committee is far less aware of operations conducted under 12333,” said a senior committee staff member, referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. “I believe the NSA would answer questions if we asked them, and if we knew to ask them, but it would not routinely report these things, and in general they would not fall within the focus of the committee.”

One major revelation of the Washington Post piece is that there isn’t even Intel Committee oversight of 12333 overseas activities, even though Americans data is collected via that authority, and our privacy substantially effected.

We have also learned that the NSA subverts encryption standards, collaborates with technology companies in the United States and abroad to build backdoors into their products, and coerces businesses into handing over their master encryption keys. These practices impact the privacy of average people by making the systems we rely on for the transmission and storage of sensitive data less secure.  Both the NSA and thieves can defeat weak encryption standards and find hidden backdoors.  Turning over encryption keys gives the NSA technical access to all the services’ customers’ communications.

These practices by themselves they do not fit the FISA definition of electronic surveillance, though the acquisition of content or installation of surveillance devices enabled by these techniques may. There’s no sign that Congress or the FISA court approved the NSA’s NIST caper or its successful negotiations to ensure or install backdoors in commercial products. No law that requires Internet companies to grant such access or empowers the government to demand it. In 1994, Congress adopted the Communications Assistance for Law Enforcement Act (“CALEA”). CALEA was intended to preserve but not expand law enforcement wiretapping capabilities by requiring telephone companies to design their networks to ensure a certain basic level of government access. The Federal Bureau of Investigation pushed its powers under CALEA, however, and the law was expanded in 2005 by the Federal Communications Commission to include broadband Internet access and “interconnected” VoIP services which rout calls over the traditional telephone network. Pure Internet services, however, are not subject to CALEA. The FBI will seek to change that, but for now, nothing in CALEA prohibits these companies from building robustly secure products that will protect their customers’ data from attacks.

Yet, the Guardian reported that some companies have built or maintained backdoors allowing government access to their services, and specifically identified Microsoft and its VoIP service, Skype. To the extent Skype’s VoIP service operates peer-to-peer independent of the traditional phone network, it is not subject to CALEA obligations.  Yet, Microsoft said, in response to the Guardian report, “when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request.” It’s unclear what those “legal obligations” might be, though some have pointed to the general obligation of electronic communications service providers to “provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition” under section 702 of the FISA Amendments Act.  Is the government is using that rather generic provision of law to force creation or maintenance of technological vulnerabilities in communications networks?  If so, Congress ought to know, and so should the public which relies on these facilities for secure communications.

The Lavabit case gives the public some idea of how the government has relied on similar assistance provisions in the criminal pen register statute to force disclosure of master encryption keys, despite the absence of any explicit obligation to do so.  There, the FBI wanted secure email provider Lavabit to install a pen register to identify Internet traffic addresses for one of the company’s users.  The system was engineered so that that information was encrypted and could not be obtained via pen register. The government then asked Lavabit for its SSL key.  However, disclosing the key would give the government access to communications of all other Lavabit customers, as well as the targeted user.

Lavabit’s owner, Lavar Levison, offered to collect the data for the government, a compromise that would get the FBI the information it wanted without impacting the security of its other customers. Unappeased, the government obtained a court order commanding Levison to travel from Texas to personally appear in a district court in Virginia to explain his refusal to produce the key. It further secured a grand jury subpoena, which explicitly commanded Levison to appear before the grand jury and bring with him Lavabit’s private keys. While Levison was traveling to appear pro se in district court, the government obtained a third order, this time a search warrant, which again commanded Lavabit to hand over its private keys and also gagged Levison and the company from telling anyone that the government had done so. The District Court ruled against Levison and gave him 24 hours to comply.  At that point, Levison closed down Lavabit’s services.  Lavabit has now retained appellate attorneys and challenged the Court orders in the Fourth Circuit. Thanks to Levison’s decision to shut his doors rather than comply, we may one day get a public hearing on the legitimacy of this underground government practice.  It appears there was no secret review in the FISC or in Congress.

NSA activities, either those overseas which “target” foreigners or those which tamper with encryption or commercial security, arguably fall outside of FISC review because of FISA’s parsed definitions of “electronic surveillance” and may elude Congressional oversight because they are mistakenly considered to impact only foreigners.  Now we know this is a mistake.  The NSA is acquiring information about Americans from overseas collection.  Additionally, American disregard for the privacy of innocent foreigners has a direct impact on American companies, which depend upon global trust to operate.

Senator Feinstein is right; it’s time for Congress to find out exactly what the NSA is doing under which legal authorities, and why. Given what we now know, its time to rein the NSA’s practices in by expanding the categories of collection, surveillance, and other activities for which the NSA needs to seek judicial and Congressional approval, since E.O. 12333 activities are causing collateral damage to American interests, civil liberties, and human rights. Addressing the problem of NSA surveillance occurring outside of FISA and Congressional oversight will be complicated by arguments that the president would have independent authority under Article II, even if FISA specifies that it is the exclusive means for conducting surveillance.  It’s time to have those arguments.

Published in: Blog , NSA , FISC , Privacy