Stanford CIS

Did PCLOB Answer My Eight Questions About Section 702?

By Jennifer Granick on

TL;DR: A little bit, but not enough.

Yesterday, the Privacy and Civil Liberties Oversight Board (PCLOB) issued a massive report about the legally and technologically complicated government surveillance program operating under section 702 of the FISA Amendments Act

In the lead up to this report, I had identified eight basic but important questions the public needs to know about section 702 surveillance. While I’ll have a lot more to say about the PCLOB report in coming days and months, I’d like to start with looking at whether the report answers these questions.

  1. How many of the 702 collected communications are of or concerning U.S. persons?

The PCLOB still does not have an answer for this question. On page 97 of the report it acknowledges that this is a very important question, one which it likely highly relevant to whether Section 702 is constitutional under the Fourth Amendment. And yet, noone knows.

  1. Do U.S. intelligence agencies have direct access to any communications providers’ systems or networks? If not, how does NSA collect real time data via section 702?

The PCLOB report doesn’t address this specific question. PRISM slides say that NSA has “direct access” to service provider networks, and that NSA can collect real time information via PRISM.  Yet, most providers have vigorously refuted the claim that NSA has direct access to their servers.  I asked whether providers play any gatekeeping role to ensure that NSA does not overcollect.

However, while the report doesn’t describe the technical architecture of PRISM, page 39 says that “before data is entered into systems available to trained analysts or agents, government technical personnel use technical systems to help verify that data sent by the provider is limited to the data requested by the government.” This fact helps answer the question of whether NSA does overreach in its PRISM collection, but doesn’t address the question of whether it could.

  1. Can PRISM operate with higher levels of assurance that the person on the other end of the line is a foreigner?

The PCLOB says “yes”.  Recommendation #1 suggests that “the NSA’s targeting procedures should be revised to (a) specify criteria for determining the expected foreign intelligence value of a particular target, and (b) require a written explanation of the basis for that determination” and that this documentation will help FISA judges oversee the program. In a similar vein, Recommendation #4 asks that NSA submit its tasking sheets to the FISA court to aid that review.

More generally, the PCLOB’s explicitly debunks the claim that PRISM is designed to produce at least 51 percent confidence in a target’s “foreignness”. To the contrary, if there is any conflicting information indicating whether a target is located in the United States or is a U.S. person, that conflict must be resolved. The standard is not “probable cause” however.

DOJ looked at this question in 2013. It asked for that one year period, in how many cases did NSA task a selector and subsequently realize after receiving collection from the provider that a user of the tasked selector was either a U.S. person or was located in the United States?  This happened in only 0.4% of the cases, which is quite low.

That could be because the NSA does a great job with foreignness determinations. It could also be because the NSA’s post-collection information processing does a terrible job at identifying its foreignness mistakes. Another study where DOJ—or better yet, a neutral party–does an independent investigation of whether taksed selectors are, in fact, only used by non-US persons would help answer this question more definitively.

  1. What is the national security value of authorizing warrantless surveillance of people who are not agents of foreign powers?

One of the most disturbing things about Section 702 for Americans and non-Americans alike is that it brings regular people under U.S. intelligence agencies’ gaze by doing away with the requirement that the target of U.S. based surveillance be an agent of a foreign power. I asked whether Section 702 would be useful if it required that NSA believe targets were agents of foreign powers. I also asked what the national security impact of stopping “about the target” collection would be.

The PCLOB report doesn’t answer this question. In fact, it punts generally on the important issue of privacy rights for people around the world. Instead, it promises to take up the issue in the context of its participation implementing a new Presidential Policy Directive (PPD-28). For now, it settles for Recommendation #4 which the board believes will help FISA judges to review the NSA’s determinations of who and what to target.

However, greater limits on acceptable targets may not interfere with the program’s identified successes. In the section on the program’s efficacy, the PCLOB says—though I’m not sure it’s entirely true—that section 702’s implementation consists entirely of targeting specific individuals about whom the government already knows something. PCLOB gives two examples. In one, “NSA was conducting surveillance under Section 702 of an email address used by an extremist based in Yemen.” In the second, “NSA monitored under Section 702 the email address of an Al Qaeda courier based in Pakistan.”

Both these interceptions likely could have taken place if NSA were limited to foreign powers and their agents. That is because the definition of “foreign power” includes

(4) a group engaged in international terrorism or activities in preparation therefor; (5) a foreign-based political organization, not substantially composed of United States persons

And agents of foreign powers include someone who “engages in international terrorism or activities in preparation therefore”. I cannot tell from the report whether the “Yemeni extremist” would or would not fit this description. Nor does the report look at whether there were other, less invasive means, of obtaining the same information.

Perhaps in acknowledgment of this difficulty, PCLOB’s Recommendation # 10 is that “the government should develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs.”

  1. What kinds of selectors do intelligence agencies use when conducting “about” collection?

As a preliminary matter, PCLOB recognizes that there’s nothing in section 702 that authorizes “about” collection. Rather, the report says, that section 702 “while silent on “about” upstream collection, can permissibly be interpreted as allowing such collection as currently implemented.” In other words, Congress didn’t authorize “abouts” but they didn’t say no either, and NSA is doing it really, really carefully.

How carefully? The PCLOB report specifies that in undertaking “upstream” searches where “about surveillance takes place, NSA analysts must use selectors that are a specific communications facility that is assessed to be used by the target. The selector is “based on . . . things like phone numbers or emails.” (emphasis added). The selectors are “not a ‘keyword’ or particular term (e.g., ‘nuclear’ or ‘bomb’)”. Nor are they “the names of targeted individuals (‘Osama Bin Laden’)”.

I have said that Congress and the PCLOB need to understand very clearly what kinds of selectors the NSA uses when it conducts “about” collection. “Communications facilities” or “communications identifiers” are undefined terms. Using the mild examples of an email address or phone number doesn’t tell the public how broad a facility can be monitored, or give us an idea how much innocent or constitutionally protected information NSA collects.

For example, is the URL where Al Qaeda publishes Insight Magazine a communications facility? Many people, including American scholars, read that magazine. Can NSA collect web traffic (including metadata) to, from and about that magazine under section 702? We still don’t know the answer to that question.

The PCLOB recognizes that more information is needed regarding “about” collection. To that end, Recommendation #7 is that “the NSA periodically should review the types of communications acquired through “about” collection under Section 702, and study the extent to which it would be technically feasible to limit, as appropriate, the types of “about” collection.”

  1. Do intelligence agencies minimize address books, buddy lists, stored documents, system backups and/or other electronic transmissions where there is no human being on the received end of the transmission as “communications” under the minimization procedures? Or are those fair game?

PCLOB does not answer this question. As I have written, the thirteen-page 702 minimization procedures only apply to communications. Intelligence agencies may exclude unshared stored data and other user information from the definition of communications, which would mean no minimization rules at all apply to protect American privacy in those categories of 702 collected information. Do NSA, CIA and FBI treat metadata, address books, buddy lists, stored documents, system backups and more as communications that must be handled with care, or are they basically allowed to do whatever they want with them because they are not “communications”?

  1. How many times and about how many different people has NSA disclosed section 702 data to CIA, FBI, DEA, IRS or other law enforcement agencies?

The PCLOB report does not respond to Reuters’ reports that NSA shares information with both the Drug Enforcement Administration (DEA) and the Internal Revenue Service (IRS).

The report does describe a very close relationship between NSA, CIA and FBI, however. FBI and CIA can “nominate” selectors for the NSA to use and then obtain responsive 702 data. [Neither CIA nor FBI have access to raw, unminimized upstream collection, but if I understand the report and the procedures correctly, once minimized the data can go to those agencies]. Each agency then has its own procedures for querying and further “minimization” (allowable use) of the data. Further, the information need not be only for a foreign intelligence purpose, so long as foreign intelligence is a “significant” purpose.

In retrospect, the report shows that my initial question was a naïve one. Its not an issue of how many times information is shared. Information is always shared between these three agencies in the due course of business.

We still don’t have good information about whether and how data goes to DEA, IRS or other agencies, although I assume that dissemination happens via FBI. The report does suggest FBI is the leaky valve through which US persons’ data is being used for all sorts of non-foreign intelligence purposes in as-yet-unknown-ways. Hence, the PCLOB’s second recommendation is that:

The FBI’s minimization procedures should be updated to more clearly reflect actual practice for conducting U.S. person queries, including the frequency with which Section 702 data may be searched when making routine queries as part of FBI assessments and investigations. Further, some additional limits should be placed on the FBI’s use and dissemination of Section 702 data in connection with non–foreign intelligence criminal matters.
  1. What is the legal basis for searching section 702 data for U.S. person identifiers, and what are the applicable guidelines for doing so, if any?

The new report has quite a lot of information about querying 702 data for US person identifiers, what Senator Ron Wyden and the rest of us call “backdoor searches”. The discussion starts on page 55 and goes to page 60, giving an overview of NSA, CIA and FBI procedures for such queries. The Board agrees that these practices push the 702 program towards unconstitutionality, and recommend changes, though the members are split on exactly how extensive those changes should be. In particular, not enough information is known on what FBI does with our “incidentially” collected data, or how often. The full board agrees that at the very least:

The NSA and CIA minimization procedures should permit the agencies to query collected Section 702 data for foreign intelligence purposes using U.S. person identifiers only if the query is based upon a statement of facts showing that it is reasonably likely to return foreign intelligence information as defined in FISA. The NSA and CIA should develop written guidance for agents and analysts as to what information and documentation is needed to meet this standard, including specific examples.

Chairman David Medine and Board Member Patricia Wald would go further, essentially requiring NSA, CIA, and FBI to go before the FISA court to justify in advance and ensure judicial review of any queries using US person identifiers as appropriate for each agencies’ mission.

The PCLOB report provides a nice summary of the available data on NSA, CIA, and FBI use. However, PCLOB recognizes there is still more that Congress and the public needs to know about this practice. Specifically, the FBI doesn’t bother to even document such queries, except to acknowledge that the number is “substantial.” Further, the full board agrees that there needs to be at minimum better regulation of backdoor searches—with two members recommending that the government end warrantless queries of the data for US person identifiers all together.

In sum, the PCLOB report is a public asset, but it does not answer important questions. In some places, by adopting NSA-speak like “bulk collection” and “communications facility” it perpetuates misunderstanding. Finally, as a watchdog report, it makes admittedly important procedural recommendations, but it fundamentally fails to fully and critically explore basic, important questions.

I leave you–and the PCLOB–with this quote from last week’s United States v. Riley, in which a unanimous U.S. Supreme Court held that warrantless cell phone searches incident to arrest are unconstitutional. As Chief Justice Roberts noted:

[T]he Founders did not fight a revolution to gain the right to government agency protocols.
Published in: Publication , Other Writing , Privacy , NSA , FISA