Cross-posted from Just Security.
Margo Schlanger has written a great article forthcoming in the Harvard National Security Journal about intelligence legalism, an ethical framework she sees underlying NSA surveillance. Margo makes the case that NSA and the executive branch haven’t been asking what the right surveillance practices should be, but rather what surveillance practices are allowed to be. She takes the concept of legalism from political theorist Judith Shklar: “the ethical attitude that holds moral conduct to be a matter of rule following, and moral relationships to consist of duties and rights determined by rules.” In the model of legalism that Margo sees the NSA following, any spying that is not legally prohibited is also right and good because ethics is synonymous with following the rules. Her critique of “intelligence legalism” is that the rules are the bare minimum, and merely following the rules doesn’t take civil liberties concerns seriously enough.
My question is whether legalism serves as a moral code for US Intelligence Community (IC) leadership, or only as a smokescreen. I believe the evidence shows that since 9/11,the IC, and specifically the NSA has not followed the rules. Rather, the agency has resorted to legalistic justifications in pursuit of other goals—namely whatever might be useful in countering terrorism. Before 9/11, the agency may have been focused on complying with FISA. But afterthat day, the NSA’s approach was that it “could circumvent federal statutes and the Constitution so long as there was some visceral connection to looking for terrorists.” In other words, since 9/11, the moral center of gravity in the surveillance world has focused on doing whatever is necessary for hunting terrorists, not following the rules.
Margo also argues that the NSA’s legalism equates to, for better or worse, the empowerment of lawyers. Sign-off by lawyers is, as Margo says, an important part of the process. Lawyer opinions gave telecommunications firms legal immunity for their cooperation with the government in conducting mass surveillance. Lawyers were used to compel compliance from underlings within the intelligence community. They’ve been used cynically for public relations purposes, trading on the public trust in the actions of government lawyers to cloud the public debate over legality. They’ve been used to marginalize the role of Congress in approving surveillance. The decisions of lawyers inside the surveillance community have allowed America’s spies to secretly expand their power as they develop classified capabilities and practices that the public and Congress haven’t yet become aware of, and have not even begun to regulate.
But calling this “empowerment” is misleading. We see lawyers who object to policies that may harm civil liberties bypassed in favor of handpicked counsel who give their bosses the answers they want. Lawyers are ratifying surveillance decisions policy makers have already made.
That’s not empowerment, it’s subservience.
LEGALISM AND WORDPLAY: Don’t be “led astray” by common definitions
How does Margo’s concept of legalism account for the surveillance community’s misleading wordplay? Take for example the doublespeak NSA and Department of Defense (DoD) officials use when they talk about surveillance rules. A Defense Intelligence Agency “intelligence law handbook” explains that a DoD document regulating NSA conduct has special definitions of commonly used words, so that analysts should “adjust their vocabulary” lest they be led astray by relying on commonly understood definitions.
One such word is “collect”. When Sen. Ron Wyden (D-Ore.) asked Director of National Intelligence James Clapper whether the NSA collects any information at all on millions or hundreds of millions of Americans, Clapper said “no, not wittingly.” We now know, as the Senate and Clapper both knew at the time, that the NSA does in fact collect such information. Yet, in an interview with NBC’s Andrea Mitchell, Clapper refused to admit that he had lied to Congress. Rather, he justified his answer with a legalism. He said that “I responded in what I thought was the most truthful, or least untruthful manner, by saying no.” Clapper indicated that his response to Wyden turned on a definition of “collect:” “There are honest differences on the semantics of what — when someone says ‘collection’ to me, that has a specific meaning, which may have a different meaning to him.”
Clapper thinks that “collect” doesn’t mean “gather.” It means “taking the book off the shelf and opening it up and reading it.”
To understand surveillance, you must also free your mind from traditional definitions of other words, including “target,” “relevant,” “incidental.” As cryptographer Matt Blaze once said, crafting a question to get meaningful answers from the NSA is a lot like crafting a wish to get a genie to give you what you actually want. The agency is warping language in order to make rules mean something very different from what ordinary people would take them to mean. Do these word games demonstrate respect for rules, or subversion of them? I think it’s subversion.
The duty to follow the law has not stood in the way of NSA’s radical—and illegal—bulk surveillance practices like STELLARWIND, and the ongoing phone data collection.
Immediately following the attacks of 9/11, then-NSA head Michael Hayden told Vice President Dick Cheney that the agency could not do much more on the surveillance front without violating FISA. Rather than respect the lawyers who were saying no, President George W. Bush bypassed the laws by secretly authorizing the President’s Surveillance Program (PSP). The PSP—better known by its code name STELLARWIND—involved collecting and analyzing a vast quantity of international and domestic Internet and telephone communications and transactional data.
Only after President Bush already authorized domestic surveillance did the lawyers get involved. Even the attorney general at the time, John Ashcroft, learned about the PSP only after Bush had okayed it. According to reporter Kurt Eichenwald, “Ashcroft gave his after-the-fact certification of the program’s legality on the same day he learned of it. He conducted no legal research to verify his conclusions.” Eric Lichtblau reported that Ashcroft said that the president had “just shoved [the order] in front of me and told me to sign it.”
When the Office of Legal Counsel (OLC) needed to perform a legal analysis of STELLARWIND, Vice President Dick Cheney and his aide David Addington hand-picked John Yoo to do it. The White House knew Yoo would write the kind of opinion they wanted. The opinion was not vetted through other OLC lawyers as was the usual policy. Further, no one at NSA was allowed to see the OLC memos; they were kept in a locked safe. NSA lawyers were assured that there was a legal basis, and apparently they decided to accept that assurance on faith and go along. Unsurprisingly, what we have seen of the final memo (it has never been fully declassified), is a factual and legal disaster.
This disorganized scramble to get something, anything, on paper and then lock it away so no one could see how crappy it is demonstrates neither an ethical respect for rules nor the empowerment of lawyers. And if these machinations could be forgiven in the immediate aftermath of9/11, things didn’t get better as the years wore on. Instead, as a whole, the IC and the FISA court have worked together to rubber stamp surveillance decisions, not just when the rules allow it, as Margo suggests, but also when the rules prohibit it.
Just take a look at judge Colleen Kollar-Kotelly’s sloppy 2004 FISA court opinion approving one aspect of STELLARWIND, the collection of all American Internet transactional data, under the FISA pen register/trap and trace statute. For the first time in American history, a judge in a secret court set up just for the Intelligence Community was ruling that Congress authorized domestic bulk collection. It’s a big deal.
But, at NSA’s behest, the judge overlooked the clues that showed the pen register statute was written for targeted, and not mass, collection. As Orin Kerr writes, key words of the pen register statute prove it was written for micro-scale surveillance, not the macro-scale.
The pen register statute requires a mere certification of “relevance.” As Christopher Sprigman and I have said, relevance is a concept that is fundamentally incompatible with the mass collection of data. For hundreds of years, government has asked judges to authorize the collection of evidence based on a “relevance” standard. Those efforts always involve some argument linking specific evidence sought to a specific instance of suspected wrongdoing. In this framework, the mass collection of all data unconnected to any suspected wrongdoing could never meet the relevance standard. The entire enterprise makes a mockery of the concept of relevance.
Under the pen register statute, the authorizing judge has almost no opportunity for pre- or post-collection oversight. The court is not allowed to investigate the basis for the certification. Nor does the statute authorize the judge to put any controls on the government’s subsequent use of bulk collected data. Failure to provide post-collection oversight would be just crazy for a statute that lets the government collect everything on everyone—another sign that’s just not what the pen register statute does. Even Kollar-Kotelly was uncomfortable with this lack of rules, and—over government objections—only authorized the bulk collection in conjunction with usage rules to ensure that NSA and other government agencies would not abuse the privilege. Yet, the statute did not so empower the judge, and the NSA didn’t follow Kollar-Kotelly’s rules anyway.
This isn’t legalism. It’s simply cowardice: allowing fear of terrorism to trump law. And this 2004 opinion was the basis for the 2006 approval of STELLARWIND’s phone records collection under section 215 of the USA Patriot Act, but despite the use of a different statute, that judge didn’t even bother to write an opinion justifying her reasoning. Surprise, surprise: the NSA didn’t follow those rules either.
The attitude hasn’t changed. In December of 2013, Senate Judiciary Committee chairman Patrick Leahy (D-VT) asked Deputy Attorney General James Cole about a pending version of the USA FREEDOM Act intended by all sponsors to end NSA dragnet collection of Americans’ communication data. Cole said that, despite the Senators’ intentions, their reform efforts wouldn’t necessarily inhibit the NSA’s surveillance capabilities. “[I]t’s going to depend on how the court interprets any number of the provisions that are in [the legislation].” Comments like this betray a serious problem inside the executive branch. The Administration and the intelligence community believe they can do whatever they want, regardless of the laws Congress passes, so long they can convince one of the judges appointed to the secretive Foreign Intelligence Surveillance Court (FISC) to agree. This isn’t legalism, or even the rule of law. As I wrote at the time, it’s collusion within the IC to reach a predetermined result, a common law coup d’etat.
The scope of the president’s Article II powers loom over all discussion of modern surveillance legality. Where Congress has regulated, the president can act in contravention of statute only if executive authority is exclusive, and not subject to the check of statutory regulation. However, after 9/11, the executive branch strongly began pushing a theory of “Commander-in-Chief override”, which maintains that it is unconstitutional for congressional action to limit the president’s exercise of his “war powers” under the Commander-in Chief clause of Article II.
As Steve Vladeck has written, the argument claiming statutes imposing barriers to unilateral executive action are unconstitutional even where Congress has power to regulate is unprecedented. And nowhere has this novel argument been pushed more strongly than in the Justice Department’s defense of the president’s warrantless wiretapping program. From NSA white papers to congressional hearings on surveillance, executive branch officials assert that “if the president chose to exercise Article II authority, that would be the president’s call” and there’s nothing that Congress can do to constrain that authority.
This argument is both novel and grossly overstated, but it’s not necessary to explain why here. My point is that the unprecedented Commander-in-Chief override gives lip service to legal rules and regulations (it’s in Article II!), but is essentially lawless (S/he can do whatever s/he wants.) Looming over legislative efforts to rein in surveillance practices is the danger—or implicit threat—that Congress will be instigating interbranch power struggle against a president that will assert his override, and the fight could tear the government apart.
As a lawyer, I understand that an interpretation of Article II powers that would vitiate whatever Congress might legitimately try to do to protect the American people is, technically, a legal argument. But it’s not “an ethical attitude that holds moral conduct to be a matter of rule following.” It’s a Get Out of Jail Free card that just allows the IC to make up its own rules, which, at that point, aren’t rules at all.
It’s the absence of affirmative regulation—Congress’s failure to act—that has allowed some of the NSA’s most troubling activities to flourish. NSA (and law enforcement agencies) fight any congressional effort to issue rules, not in the least by hiding their activities from public view.
The NSA has built a network of compromised Internet routers it uses for surveillance and to install spyware. It is capable of hijacking user connections to Facebook in order to install malware on a target’s computer. It forced Microsoft and Cisco to build surveillance back doors into their products. It has automated control over swarms of computers—botnets—capable of attacks that bring down websites and computer systems. US intelligence agencies have successfully undermined various encryption protocols and implementations. The Intelligence Community purchases zero-day exploits thereby helping drive the market for malware. All of these techniques contribute to a network infrastructure that is insecure, something that benefits not only America’s spies, but other governments, thieves, and terrorists.
Meanwhile, Congress hasn’t even authorized the FBI to hack, though the agency does. The FBI uses “Stingray” devices to warrantlessly track the location of US citizens’ cell phones and it remotely accesses people’s computers to perform searches. The bureau even creates fake news sites to entice suspects to visit and then be compromised by FBI surveillance malware. The DEA has a vast “law enforcement sensitive” database of phone call information called Hemisphere—only discovered by a citizens’ series of public information requests to West Coast police agencies. The IRS gets data on Americans from the NSA for tax enforcement reasons.
Yet Congress has never had a hearing to specifically discuss the desirability of any these practices, nor has it explicitly authorized these three letter agencies to do these things.
And, rather than disclose its use of these practices in court, the government frequently uses “parallel construction”—making up a fake story and an alternative investigatory trail for how they discovered the information.
LEGALISM OR LIPSTICK?
In February of 2014, The NSA sent out two of its senior lawyers, Director of Compliance John DeLong and its General Counsel Rajesh De, to make the pitch that the agency is actually an intensely-regulated, closely-watched, and law-abiding good citizen. It is true that today, in response to NSA failures to follow FISC post-collection rules, the agency has a large bureaucracy devoted to compliance, headed by Mr. DeLong. Margo calls this bureaucratic structure an “Office of Goodness”, because the compliance office is tasked with furthering a value not primary for the NSA and it wouldn’t be there unless the NSA believed compliance to be A Good Thing. The first part of that argument, at least, makes sense. I have no doubt that compliance is a major expense for NSA or that today the agency takes it very, very seriously. But I don’t know whether the NSA leadership supports the compliance department because they think its ethical to do so, or because they think its politically necessary to preserve NSA’s relationship with the FISA court judges it pissed off, and who have to continue to approve at least some of NSA’s surveillance activities.
Either way, if the public laws that Congress passes don’t mean what they say, then compliance is just lipstick on a pig. Chris Sprigman wrote about this here at Just Security, and he sees the culture of lawyering at the NSA, far from assuring the agency’s lawfulness, as actually aiding and abetting the essential lawlessness of the mass surveillance programs.
“There is a danger here that the role of the NSA’s lawyers – and this goes for both De and DeLong – creates the appearance but not the reality of lawfulness, and, in the end, does not vindicate the law, but subverts it.”
If Chris is right that De and DeLong and the agency’s other lawyers have very little, if any, input into the Administration’s interpretation of the agency’s legal authority (and neither lawyer has claimed to have such input), then NSA lawyers aren’t empowered, they are rubber stamps. De is the agency’s general counsel, responsible to ensure that the agency’s employees operate within the law. Yet he emphasizes repeatedly that he relies on the expansive interpretation of the NSA’s authority that he says has been approved by Congress, and the courts, and the Administration. De hasn’t engaged with the arguments that the agency is overrunning whatever surveillance authority Congress and the courts have actually given it.
Margo argues that legalism actually both crowds out the consideration of policy and interests (as opposed to law and rights), and legitimates the surveillance state, making it less susceptible to policy reform. Chris says that De and DeLong’s approach to agency lawyering is actually lawlessness in disguise. Who is right, and does it matter for reform?
Sprigman is right. And yes, it matters.
Margo is no cheerleader for legalism, and her critique is quite valuable. Rules alone won’t produce true policy reform. But first things first. The priority has to be to rein in an Intelligence Community which has all kinds of tricks to violate the law, contravene public expectations, hide from public scrutiny, and when it gets caught, kick up so much legal dust that no one gets in any kind of serious trouble. Reform which starts from the premise that the IC is ethically committed to following the law won’t be enough to keep the IC from trying to manipulate and evade the rules.
Once we fix that problem, then and only then will we have the luxury of seeking creative opportunities to, as Margo writes, “nurture [the IC’s] civil liberties ecology”.