SAFEGUARDS FOR INTERNATIONAL COOPERATION: On occasion, states may seek assistance from foreign service providers to conduct surveillance. This must be governed by clear and public agreements that ensure the most privacy-protective standard applicable is relied upon in each instance.
SAFEGUARDS AGAINST ILLEGITIMATE ACCESS: There should be civil and criminal penalties imposed on any party responsible for illegal electronic surveillance and those affected by surveillance must have access to legal mechanisms necessary for effective redress. Strong protection should also be afforded to whistleblowers who expose surveillance activities that threaten human rights.
I’m largely addressing the US, although the recommendations in this chapter are applicable elsewhere. In the US, the president can implement some of these recommendations unilaterally by executive order, some require congressional approval, and others require the passage of new legislation. Other countries have their own separation of powers with their own rules. In many countries, of course, implementing any of these recommendations would require radical changes in the government.
LESS SECRECY, MORE TRANSPARENCY
Since 9/11, the Bush and Obama administrations have repeatedly maintained that an extreme level of secrecy is necessary to prevent the enemy from knowing what we’re doing. The levels of secrecy we saw during World War I still make sense. Tactical facts can be very valuable for a limited time, and important to keep secret for that duration. And sometimes we need to keep larger secrets: our negotiating positions with other countries, the identities of foreign agents, military planning, and some areas of national intelligence. Getting back to the important difference between espionage and surveillance, our systems of espionage require a lot more secrecy than our systems of surveillance do.
However, we can be more transparent in many areas. Compare the intense secrecy surrounding NSA surveillance with a very similar domain where we routinely manage quite well without a lot of secrecy: police and crime-fighting. The Fourth Amendment regulates the police’s ability to conduct surveillance, and all the court rulings surrounding it are public. Criminals can read up on all of this, or hire a lawyer who understands it, and then create a detailed manual on how to precisely exploit any loopholes in the law. There are many loopholes, and plenty of defense attorneys who know their way through them. Yet police work continues undeterred, and criminals are routinely arrested and convicted.
More generally, almost everything about police and crime-fighting is public. We know the budgets of all our nation’s police forces. We know their capabilities. We know how effective they are. We know what they do, and how well they do it. We don’t know the identities of undercover police officers, but we know generally how they’re used and what they can and cannot do. All of this is public, known by those of us who grant the police powers over us as well as those of us who want to commit crimes. Yet the police regularly manage to solve crimes.
This demonstrates that the current level of secrecy we have in counterterrorism is excessive. It applies a military level of secrecy to what has always been a domestic matter. Terrorists are not smarter and more formidable than organized crime. Terrorists don’t cause more damage or kill more people; we just fear them more. We need to transfer the traditional law enforcement transparency principles to national security, instead of increasing the secrecy surrounding law enforcement, as we have unfortunately begun to do. We have to design systems that keep us safe even if their details are public and known by the enemy. Secrets are harder to keep today, so we’re better off limiting their numbers.
In the 1980s, the US gave up trying to keep cryptography research secret, because all that did was put our mathematicians and engineers at a disadvantage with respect to their peers in other countries. More recently, the US has abandoned attempting to block research on creating biological viruses, because someone somewhere will publish the information regardless of what we do. Military thinkers now realize that many strategic military secrets are harder to keep because of the ubiquity of satellite imagery and other technologies. We need to think the same way about government secrecy surrounding surveillance.
Transparency laws for surveillance already exist in the US. The original 1968 wiretap law mandated extensive public reporting on the government’s use of wiretaps. The annual wiretap reports are over 200 pages long, and contain an enormous amount of detail. This made it possible for people to verify what the FBI was doing, and ensure that the agency wasn’t abusing its authority. The problem is that when other surveillance authorities were expanded after 9/11, no similar reporting requirements were established. We need to fix this.
The US government should publish detailed, unclassified descriptions of the scope and scale of intelligence gathering. It should publish the legal justifications for all intelligence programs. It should publish information on the type and amount of data collected under those different authorities, as well as details of minimization procedures and data retention rules. And it should declassify all general opinions of the FISA Court, which oversees NSA surveillance under FISA and the FISA Amendments Act. The names of the people and organizations being monitored are legitimately secret; the rules under which organizations operate are not.
MORE—AND BETTER—OVERSIGHT
To rein in NSA surveillance, we need much better oversight over both national intelligence and law enforcement.
Strategic oversight comes first. The NSA has justified its actions by pointing to congressional oversight. Its leaders claim that agency staff merely follow the laws that Congress passes or the orders the president signs. According to one official press release, “NSA conducts all of its activities in accordance with applicable laws, regulations, and policies.” This is not true. In fact, it is deeply disingenuous. We know from recently declassified FISA Court opinions, especially those written by Judge John Bates, that the NSA frequently made misrepresentations to the court, did not follow minimization requirements, and regularly exceeded its legal authorizations.
The NSA has gamed the rules governing congressional oversight to ensure that no actual understanding or critical review happens. Documents the NSA provides to Congress are either propaganda pieces designed to convince or jargon-laden documents designed to confuse. Members of Congress can’t remove those documents from the secure room they’re stored in, nor can they remove any notes they make. They can only bring along security-cleared staffers to help them understand the meaning and significance of the material, but few lawmakers employ staffers with both a top-secret clearance level and appropriate expertise. Additionally, they’re lobbied heavily by the NSA. Senator Ron Wyden has stated that senior intelligence officials repeatedly made “misleading and deceptive statements” in congressional hearings. Senator Dianne Feinstein, chair of the Senate Select Committee on Intelligence and a longstanding supporter of government surveillance, regretfully concluded that her committee “was not satisfactorily informed” by the intelligence community about its activities. Congressman Alan Grayson of Florida called congressional oversight of the NSA a “joke.”
In 2014, I was invited by six members of Congress—members from both parties—to brief them on the NSA’s activities. Because I had reviewed many of the unpublished Snowden documents, I knew more about the NSA’s activities than they did. How can our democracy survive when the best information Congress can get about what the NSA was really doing comes from me?
On the other hand, many legislators don’t want to perform the oversight function assigned to Congress. Some of this reluctance stems from a desire for plausible deniability. It’s politically safer to let the executive branch make the decisions, then let it take the heat when something goes wrong. There’s also political risk in standing up to law enforcement. Few congressional committee members actually venture into that secure room.
The NSA interprets its authority very aggressively and self-servingly. In Chapter 5, I discussed the three different authorities the NSA uses to justify its surveillance activities: Executive Order 1
2333, Section 215 of the PATRIOT Act, and Section 702 of the FISA Amendments Act.
Executive Order 12333, the 1981 presidential document authorizing most of NSA’s surveillance, is incredibly permissive. It is supposed to primarily allow the NSA to conduct surveillance outside the US, but it gives the agency broad authority to collect data on Americans. It provides minimal protections for Americans’ data collected outside the US, and even less for the hundreds of millions of innocent non-Americans whose data is incidentally collected. Because this is a presidential directive and not a law, courts have no jurisdiction, and congressional oversight is minimal. Additionally, at least in 2007, the president believed he could modify or ignore it at will and in secret. As a result, we know very little about how Executive Order 12333 is being interpreted inside the NSA.
Section 215 of the PATRIOT Act was never intended to authorize mass surveillance, and strong arguments can be made that the act’s language doesn’t allow it. The idea was that the FBI would be able to get information “relevant to an authorized [national security] investigation”—that is, about a specific subject of investigation—from a wider set of sources than it could previously. The example the administration talked about was information about what books a suspect checked out of the library; maybe he was reading The Anarchist’s Cookbook or something. In fact, when the bill was being debated, it was known as the “library provision.” It only empowered the FBI to demand information that it could have obtained with a grand jury subpoena—all metadata, no content—but it allowed it to do this without having to convene a grand jury. That made sense; there aren’t really grand juries in national security investigations.
However, after the PATRIOT Act was passed in 2001, the Department of Justice’s national security lawyers combed through the law looking for loopholes. Even though the law was intended to facilitate targeted surveillance, they decided it could be stretched to authorize mass surveillance. Even though it only empowered the FBI, they decided that the FBI could demand that information be sent to the NSA. At first they did this without any court approval at all. Eventually they decided to argue their case in front of the secret FISA Court. Because there was no one arguing the opposing position, they were able to convince a judge that everything was “relevant” to an investigation. This was a new interpretation of the word “relevant,” and one that doesn’t even pass the sniff test. If “relevant” doesn’t restrict collection because everything is relevant, then why was the limitation put into the law in the first place? Even Congressman Jim Sensenbrenner, the person who wrote the USA PATRIOT Act, was surprised when he learned that the NSA used it as a legal justification for collecting mass-surveillance data on Americans. “It’s like scooping up the entire ocean to guarantee you catch a fish,” he said.
Section 702 of the FISA Amendments Act was a little different. The provision was supposed to solve a very specific problem. Administration officials would draw diagrams: a terrorist in Saudi Arabia was talking to a terrorist in Cuba, and the data was flowing through the US, but the NSA had to eavesdrop outside of the US. This was inefficient, it argued, and Section 702 allowed it to grab that conversation from taps inside the US.
Again, there’s nothing in Section 702 that authorizes mass surveillance. The NSA justifies the use by abusing the word “incidental.” Everything is intercepted, both metadata and content, and automatically searched for items of interest. The NSA claims that only the things it wants to save count as searching. Everything else is incidental, and as long as its intended “target” is outside the US, it’s all okay. A useful analogy would be allowing police officers to search every house in the city without any probable cause or warrant, looking for a guy who normally lives in Bulgaria. They would save evidence of any crimes they happened to find, and then argue that none of the other searches counted because they hadn’t found anything, and what they found was admissable as evidence because it was “incidental” to the search for the Bulgarian. The Fourth Amendment specifically prohibits that sort of search as unreasonable, and for good reason.
My guess is that by the time the FISA Amendments Act came around in 2008, the NSA knew what it was doing and deliberately wordsmithed the bill to allow for its preferred interpretation. Its leadership might have even briefed the Senate and House intelligence committees on how it was going to interpret that language. But they certainly didn’t brief all of Congress, and they never told the American people.
I believe that much of this will eventually be found to be unconstitutional. The Fourth Amendment protects not only against unreasonable searches but also against unreasonable seizures. I argued in Chapter 10 that computer searches are searches. The mere act of obtaining a copy of the data in bulk from companies like Verizon is an illegal seizure as well.
The problem is that all three branches of government have abrogated their responsibilities for oversight. The normal democratic process of taking a law, turning it into rules, and then turning those rules into procedures is open to interpretation every step of the way, and therefore requires oversight every step of the way. Without it, agencies abuse their power. We saw this in the 1970s, when the FBI and NSA illegally spied on Americans under projects SHAMROCK and MINARET, as well as under an unnamed program that was part of the war on drugs. And we’re seeing it again today.
Lest you think this is solely a US phenomenon, the same thing happened in the UK in 2000 around the passage of the Regulation of Investigatory Powers Act. Section 16(3), largely unnoticed when the bill was debated, has been used by GCHQ to spy on British citizens. It was intentionally drafted that way, with some members of Parliament in on it and stubbornly defending the obscure and convoluted language that didn’t actually legalize mass surveillance but nonetheless ended up being used to justify it. I believe the idea for FAA Section 702 came from RIPA Section 16(3).
In 2013, President Obama tried to reassure Americans that NSA surveillance programs are reviewed and approved by all three branches of government. His statement was deeply misleading. Before Snowden, the full range of government surveillance activity was known by only a few members of the executive branch, partially disclosed to a few senior members of the legislative branch, and approved by a single judge on the FISA Court—a court that rejected a mere 11 out of 34,000 warrant requests between its formation in 1979 and 2013. That’s not real oversight. However, to be fair, it’s much more oversight than you’ll find in other countries, including European democracies like France, Germany, and the UK.
Some members of Congress are trying to impose limits on the NSA, and some of their proposals have real teeth and might make a difference. Even so, I don’t have any hope of meaningful congressional reform right now, because all of the proposals focus on specific programs and authorities: the telephone metadata collection program under Section 215, bulk records collection under Section 702, and so on. It’s a piecemeal approach that can’t work. We are now beyond the stage where simple legal interventions can make a difference. There’s just too much secrecy, and too much shifting of programs amongst different legal justifications. When companies refuse National Security Letters, the government comes back with a Section 215 order. And the NSA has repeatedly threatened that if Congress limits its authority under Sections 215 and 702, it will shift curtailed programs to the more permissive, less regulated, and more secret EO 12333 authority.
There are other attempts at oversight. The president’s 2013 NSA review group had broad access to the agency’s capabilities and activities. They produced an excellent report outlining 46 policy recommendations, and President Obama agreed to implement many of them. The key question now is whether he will do so. In 2004, Congress created the Privacy and Civil Liberties Oversight Board on the recommendation of the 9/11 Commission to oversee national security issues. It was mostly unstaffed and unfunded until 2012, and has limited powers. (The group’s 2014 report only discussed NSA collection under Section 702. It was widely panned as inadequate.)
More members of Congress must commi
t to meaningful NSA reform. We need comprehensive strategic oversight by independent government agencies, based on full transparency. We need meaningful rules for minimizing data gathered and stored about Americans, rules that require the NSA to delete data to which it should not have access. In the 1970s, the Church Committee investigated intelligence gathering by the NSA, CIA, and FBI. It was able to reform these agencies only after extensive research and discovery. We need a similar committee now. We need to convince President Obama to adopt the recommendations of his own NSA review group. And we need to give the Privacy and Civil Liberties Oversight Board real investigative powers.
Those recommendations all pertain to strategic oversight of mass surveillance. Next, let’s consider tactical oversight. One primary mechanism for tactical oversight of government surveillance is the warrant process. Contrary to what many government officials argue, warrants do not harm security. They are a security mechanism, designed to protect us from government overreach.
Secret warrants don’t work nearly as well. The judges who oversee NSA actions are from the secret FISA Court. Compared with a traditional court, the FISA Court has a much lower standard of evidence before it issues a warrant. Its cases are secret, its rulings are secret, and no one from the other side ever presents in front of it. Given how unbalanced the process it is, it’s amazing that the FISA Court has shown as much backbone as it has in standing up to the NSA (despite almost never rejecting a warrant request).
Some surveillance orders bypass this process entirely. We know, for example, that US Cellular received only two judicially approved wiretap orders in 2012—and another 10,801 subpoenas for the same types of information without any judicial oversight whatsoever. All of this needs to be fixed.
Start with the FISA Court. It should be much more public. The FISA Court’s chief judge should become a position that requires Senate confirmation. The court should publish its opinions to the extent possible. An official public interest advocate should be assigned the task of arguing against surveillance applications. Congress should enact a process for appealing FISA rulings, either to some appellate court or to the Supreme Court.
Data and Goliath Page 19