In two years, section 702 of the FISA Amendments Act will expire. It is essential the public to have confidence that any reforms to section 702 will actually address problems with PRISM and Upstream surveillance. To get that confidence, we have to know a lot more about how the intelligence community is using section 702. That understanding requires more investigation. For example, the Privacy and Civil Liberties Oversight Board wrote a long and enlightening report on section 702. But the PCLOB couldn't tell how many Americans are likely effected by section 702. It took an investigation by the Washington Post to tell us that in its multiyear sample of data, over 50% of the materials were of or concerning an American, and that 90% of the data came from someone other than the putative target of surveillance. That much bycatch is a real privacy concern that the current law and policy doesn't adequately address. Or take this example: The PCLOB report says that every selector used for section 702 must be “a specific communications identifier” and "always must be associated with a specific person or entity.” PCLOB report at p. 112, 123. Yet, we've learned that the NSA is scanning the network for foreign cybersecurity threats. Is what the IC told PCLOB about selectors true, and if so, how are cybersecurity threat signatures associated with a specific person or entity?
Here is a preliminary list of documents that need to be declassified and questions that we need to know to really begin to understand section 702 surveillance.
Documents to see
Current targeting procedures [2009 procedures were leaked by Snowden, but current procedures have never been declassified]
Minimization procedures for CIA and FBI
Office of Legal Counsel opinions that govern interpretation of Section 702
FISC certifications under 702
FISC opinions that govern interpretation of Section 702
· There was an overcollection problem briefed to the Intel Committees on upstream collection in 2012. When was that briefing and what was the substance? Was that briefing before the 2012 reauthorization?
· Have there been Inspector General reports that address Section 702 that have not yet been made available to the public? What are they and when are they coming out? What reports are underway?
· What measures has the IC taken to encourage and protect whistleblowers who have concerns with aspects of Section 702?
Questions as to Statistics on Collection and Use
· How does the IC respond to the Washington Post report from July of 2014 that 50% of section 702 data concerns Americans and 90% of the data concerns non-targets? [http://www.washingtonpost.com/world/national-security/in-nsa-intercepted...
· Approximately how many communications were collected and retained by the government as a result of Section 702 surveillance in 2014?
· How many of the 702 collected communications are of or concerning U.S. persons? What can the IC do to shed light on the extent to which communications involving U.S. persons or people located in the United States are being acquired and utilized under Section 702. [See PCLOB report at p. 47.]
The IC has said that it cannot/will not count Americans whose data is collected pursuant to Sec 702. But PCLOB and others have strongly recommended it.
· What are the latest numbers for queries of Sec. 702 databases by the NSA, CIA, and FBI? [Unminimized data available to these agencies]
· What other federal, state, or local agencies have access to 702 data, minimized or unminimized? How many queries of such databases for these agencies?
Questions as to 702 surveillance topics and selectors
· What certifications has the FISC issued for 702 surveillance?
· How does the IC determine that communications traffic is U.S. person traffic? For example, when an Amazon server inside the U.S. connects to an Amazon server outside the U.S., how does NSA scan that connection?
· What changes about the gathering or retention of information under Section 702 once the determination that communications traffic is U.S. person traffic?
· We have previously been told a selector is a communication facility (such as an email or phone number). We now know if can include a threat signature of malicious code. What is the IC’s definition of “selector”? Can the IC give us a full list of types of selectors? What restraints exist on what can be used as a selector?
· List all the kinds of selectors used under section 702.
· Are any of these selectors connected to First Amendment activities (such as publication of extremist magazines or overseas political groups)? If so what kind of First Amendment protection do those identified using such selectors have? What kind of First Amendment protection do Americans communicating with these targets have?
· How are threat signatures used as selectors under Sec. 702 and what is considered a selector for cybersecurity purposes? What other requirements - if any - exist for use of threat signatures as selectors under Sec. 702?
· PCLOB told the public that every selector used for section 702 must be “a specific communications identifier.” PCLOB report at p. 123. And always must be associated with a specific person or entity.” PCLOB report at p. 112. Is this true, and if so, how are cybersecurity selectors associated with a specific person or entity?
· How does the IC handle data that a cybersecurity attacker may be funneling out of an American company? Does NSA collect it, is it made available to other agencies for queries?
· What is the legal rationale for treating cyber signatures as "selectors" under Section 702?
Domestic Use Questions
· What are the rules for CIA and FBI access to section 702 data? [These agencies have access to unminimized data.]
· What are the rules for DEA, IRS or other law enforcement agencies’ access to section 702 data? [Access to minimized data?]
· What kind of metadata is the IC collecting through section 702? How is American metadata treated under the minimization procedures?
The IC likes to say it is minimized, i.e. run through minimization procedures. But those procedures have privacy protection for Americans’ communications not Americans’ information. So unclear whether Americans’ metadata, address books, buddy lists, etc. are purged during minimization, or kept in bulk for later analysis as NSA is doing with phone records under section 215.
· How many backdoor searches of Section 702-acquired communications does the FBI conduct using identifiers associated with US persons? In how many and what types of criminal investigations?
· How does the FBI track its use of backdoor searches and its reliance on Section 702-acquired information?
· Under what circumstances does the FBI give Americans notice that it is using or has used Section 702 acquired information?
· Why hasn't the Department of Justice given notice of Section 702 surveillance to a single criminal defendant since April 2014? [Do criminal defendants charged using evidence derived from back door searches get notice of those back door searches?]
· How is the Department of Justice interpreting its obligation to give notice of Section 702 surveillance in criminal prosecutions?
· Is the Department of Justice currently engaging in parallel construction to avoid giving notice of Section 702 surveillance—for instance by omitting Section 702 surveillance from traditional FISA applications? How is the Department of Justice defining when its evidence is "derived from" Section 702 surveillance?
· How is the government interpreting their obligation to give notice of Section 702 surveillance in other legal proceedings, such as "no fly" list challenges, immigration proceedings, and Treasury Department asset-seizure proceedings? (link to NYT article)
· On February 3, 2015, the Administration announced numerous changes to surveillance activities to protect privacy and civil liberties, including reforms to its Minimization Rules. The updated rules say that data collected under Sec. 702 can be used as evidence in trial of particular kinds of cases, but do not define several terms, specifically "criminal cases with national security implications" and "crimes involving cybersecurity." What is the definition of these terms?
· What efforts, if any, are made to protect privileged communications like attorney-client communications?
Role of Courts/FISC
· Who has standing to challenge PRISM surveillance? Who has standing to challenge Upstream surveillance?
· Has any provider challenged either PRISM or Upstream surveillance under Section 702 surveillance in the FISC?
Reform related questions
· Does the IC believe other authorities exist that would empower the IC to gather the same or similar information as is gathered under Section 702? What are they? Does the IC use them now?
· Why shouldn’t the government be required to obtain a warrant after the fact in order to use or retain the communications of Americans collected using warrantless Section 702 surveillance, at least when it is aware that those communications belong to Americans?
· Does the IC oppose a requirement that a query for Americans’ data require a warrant, if there were also provisions for an emergency? What security concerns could a warrant requirement with an emergency provision raise?
· Does the IC oppose narrowing the purposes for which Sec. 702 is conducted from broad foreign intelligence to national security related purposes? Were we to do this, would the list of purposes set out in PPD-28 serve as an effective model?
· Does the IC oppose narrowing the targets for Section 702 to agents of foreign powers?